Common Weakness Enumeration

CWE-359

Allowed

Exposure of Private Personal Information to an Unauthorized Actor

Abstraction: Base · Status: Incomplete

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

323 vulnerabilities reference this CWE, most recent first.

GHSA-M8HC-HMRJ-MF93

Vulnerability from github – Published: 2025-03-11 09:30 – Updated: 2025-05-26 03:30
VLAI
Details

The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the 'qubely_get_content'. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, password-protected, draft, and trashed post data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-11T07:15:32Z",
    "severity": "MODERATE"
  },
  "details": "The Qubely \u2013 Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the \u0027qubely_get_content\u0027. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, password-protected, draft, and trashed post data.",
  "id": "GHSA-m8hc-hmrj-mf93",
  "modified": "2025-05-26T03:30:25Z",
  "published": "2025-03-11T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13228"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/qubely/trunk/core/QUBELY.php#L1172"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3253223"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72c66e71-dddb-4142-ae13-da3caffd8714?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MM9R-MQF2-8FJ4

Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31
VLAI
Details

Exposure of private personal information to an unauthorized actor in Azure Stack allows an authorized attacker to disclose information locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T18:15:45Z",
    "severity": "MODERATE"
  },
  "details": "Exposure of private personal information to an unauthorized actor in Azure Stack allows an authorized attacker to disclose information locally.",
  "id": "GHSA-mm9r-mqf2-8fj4",
  "modified": "2025-08-12T18:31:32Z",
  "published": "2025-08-12T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53765"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53765"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MMCC-F5RV-H6PC

Vulnerability from github – Published: 2024-02-27 18:31 – Updated: 2024-02-27 18:31
VLAI
Details

Sensitive information disclosure due to excessive collection of system information. The following products are affected: Acronis Cyber Protect 16 (macOS, Windows) before build 37391.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-48680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-27T17:15:10Z",
    "severity": "LOW"
  },
  "details": "Sensitive information disclosure due to excessive collection of system information. The following products are affected: Acronis Cyber Protect 16 (macOS, Windows) before build 37391.",
  "id": "GHSA-mmcc-f5rv-h6pc",
  "modified": "2024-02-27T18:31:02Z",
  "published": "2024-02-27T18:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48680"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-5392"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MPVQ-WPJ3-WJGW

Vulnerability from github – Published: 2024-08-28 18:31 – Updated: 2024-08-28 18:31
VLAI
Details

Improper access control in the clipboard synchronization feature in TeamViewer Full Client prior version 15.57 and TeamViewer Meeting prior version 15.55.3 can lead to unintentional sharing of the clipboard with the current presenter of a meeting.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6053"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-28T17:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Improper access control in the clipboard synchronization feature in TeamViewer Full Client prior version 15.57 and TeamViewer Meeting prior version 15.55.3 can lead to unintentional sharing of the clipboard with the current presenter of a meeting.",
  "id": "GHSA-mpvq-wpj3-wjgw",
  "modified": "2024-08-28T18:31:55Z",
  "published": "2024-08-28T18:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6053"
    },
    {
      "type": "WEB",
      "url": "https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2024-1007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQMV-FJJ3-CWJX

Vulnerability from github – Published: 2026-04-17 09:31 – Updated: 2026-06-02 15:31
VLAI
Details

Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.

Unauthenticated user can retrieve database password in plaintext in certain situations

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-17T09:16:04Z",
    "severity": "CRITICAL"
  },
  "details": "Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\n\nUnauthenticated user can retrieve database password in plaintext in certain situations",
  "id": "GHSA-mqmv-fjj3-cwjx",
  "modified": "2026-06-02T15:31:54Z",
  "published": "2026-04-17T09:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15623"
    },
    {
      "type": "WEB",
      "url": "https://sparxsystems.com/products/procloudserver/6.1/history.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:C/RE:M/U:Red",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MRJ3-F2H4-7W45

Vulnerability from github – Published: 2024-03-28 17:52 – Updated: 2026-01-08 21:35
VLAI
Summary
Saleor: Customers' addresses leak when using Warehouse as a `Pickup: Local stock only` delivery method
Details

Summary

Using Pickup: Local stock only as a click-and-collect points could cause a leak of customer addresses

Details

When using Pickup: Local stock only click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect address.

Impact

The vulnerability can cause the leak of customer's address when using click-and-collect delivery option marked as Local stock only. It has impact on all orders with click-and-collect delivery method marked as Pickup:Local stock only The affected versions: >=3.14.56 <3.14.61, >=3.15.31 <3.15.37, >=3.16.27 <3.16.34, >=3.17.25 <3.17.32, >=3.18.19 <3.18.28, >=3.19.5 <3.19.15 This issue has been patched in versions: 3.14.61, 3.15.37, 3.16.34, 3.17.32, 3.18.28, 3.19.15

Workaround

We strongly recommend upgrading to the latest versions, in case of inability to upgrade straight away, possible workarounds are: - turn off click-and-collect delivery method on warehouse view when Pickup option is set to Local stock only. - cherry-pick the changes from PRs: https://github.com/saleor/saleor/pull/15694 & https://github.com/saleor/saleor/pull/15697

References

  • Commits introducing the issue (https://github.com/saleor/saleor/commit/22a1aa3ef0bc54156405f69146788016a7f3f761 main, https://github.com/saleor/saleor/commit/997f7ea4f576543ec88679a86bfe1b14f7f2ff26 3.14, https://github.com/saleor/saleor/commit/ef003c76a304c89ddb2dc65b7f1d5b3b2ba1c640 3.15, https://github.com/saleor/saleor/commit/39abb0f4e4fe6503f81bfbb871227e4f70bcdd5c 3.16, https://github.com/saleor/saleor/commit/b7cecda8b603f7472790150bb4508c7b655946d4 3.17, https://github.com/saleor/saleor/commit/dccc2c842b4e2e09470929c80f07dc137e439182 3.18, https://github.com/saleor/saleor/commit/d8ba545c16ad3153febc5b5be8fd2ef75da9fc95 3.19)
  • https://github.com/saleor/saleor/commit/47cedfd7d6524d79bdb04708edcdbb235874de6b (main branch) https://github.com/saleor/saleor/releases/tag/3.14.60 https://github.com/saleor/saleor/releases/tag/3.14.61 https://github.com/saleor/saleor/releases/tag/3.15.36 https://github.com/saleor/saleor/releases/tag/3.15.37 https://github.com/saleor/saleor/releases/tag/3.16.33 https://github.com/saleor/saleor/releases/tag/3.16.34 https://github.com/saleor/saleor/releases/tag/3.17.31 https://github.com/saleor/saleor/releases/tag/3.17.32 https://github.com/saleor/saleor/releases/tag/3.18.27 https://github.com/saleor/saleor/releases/tag/3.18.28 https://github.com/saleor/saleor/releases/tag/3.19.14 https://github.com/saleor/saleor/releases/tag/3.19.15
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "saleor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.14.56"
            },
            {
              "fixed": "3.14.61"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "saleor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.15.31"
            },
            {
              "fixed": "3.15.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "saleor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.16.27"
            },
            {
              "fixed": "3.16.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "saleor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.17.25"
            },
            {
              "fixed": "3.17.32"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "saleor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.18.19"
            },
            {
              "fixed": "3.18.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "saleor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.19.5"
            },
            {
              "fixed": "3.19.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-28T17:52:17Z",
    "nvd_published_at": "2024-03-27T19:15:49Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nUsing `Pickup: Local stock only` as a click-and-collect points could cause a leak of customer addresses\n\n### Details\nWhen using `Pickup: Local stock only` click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect address.\n\n### Impact\nThe vulnerability can cause the leak of customer\u0027s address when using click-and-collect delivery option marked as `Local stock only`. It has impact on all orders with click-and-collect delivery method marked as `Pickup:Local stock only`\nThe affected versions: `\u003e=3.14.56 \u003c3.14.61`, `\u003e=3.15.31 \u003c3.15.37`, `\u003e=3.16.27 \u003c3.16.34`, `\u003e=3.17.25 \u003c3.17.32`, `\u003e=3.18.19 \u003c3.18.28`, `\u003e=3.19.5 \u003c3.19.15`\nThis issue has been patched in versions: `3.14.61`, `3.15.37`, `3.16.34`, `3.17.32`, `3.18.28`, `3.19.15`\n\n\n### Workaround\nWe strongly recommend upgrading to the latest versions, in case of inability to upgrade straight away, possible workarounds are:\n- turn off click-and-collect delivery method on warehouse view when `Pickup` option is set to `Local stock only`.\n- cherry-pick the changes from PRs: https://github.com/saleor/saleor/pull/15694 \u0026 https://github.com/saleor/saleor/pull/15697\n\n### References\n- Commits introducing the issue (https://github.com/saleor/saleor/commit/22a1aa3ef0bc54156405f69146788016a7f3f761 main, https://github.com/saleor/saleor/commit/997f7ea4f576543ec88679a86bfe1b14f7f2ff26 3.14, https://github.com/saleor/saleor/commit/ef003c76a304c89ddb2dc65b7f1d5b3b2ba1c640 3.15, https://github.com/saleor/saleor/commit/39abb0f4e4fe6503f81bfbb871227e4f70bcdd5c 3.16, https://github.com/saleor/saleor/commit/b7cecda8b603f7472790150bb4508c7b655946d4 3.17, https://github.com/saleor/saleor/commit/dccc2c842b4e2e09470929c80f07dc137e439182 3.18, https://github.com/saleor/saleor/commit/d8ba545c16ad3153febc5b5be8fd2ef75da9fc95 3.19)\n- https://github.com/saleor/saleor/commit/47cedfd7d6524d79bdb04708edcdbb235874de6b (main branch)\nhttps://github.com/saleor/saleor/releases/tag/3.14.60\nhttps://github.com/saleor/saleor/releases/tag/3.14.61\nhttps://github.com/saleor/saleor/releases/tag/3.15.36\nhttps://github.com/saleor/saleor/releases/tag/3.15.37\nhttps://github.com/saleor/saleor/releases/tag/3.16.33\nhttps://github.com/saleor/saleor/releases/tag/3.16.34\nhttps://github.com/saleor/saleor/releases/tag/3.17.31\nhttps://github.com/saleor/saleor/releases/tag/3.17.32\nhttps://github.com/saleor/saleor/releases/tag/3.18.27\nhttps://github.com/saleor/saleor/releases/tag/3.18.28\nhttps://github.com/saleor/saleor/releases/tag/3.19.14\nhttps://github.com/saleor/saleor/releases/tag/3.19.15",
  "id": "GHSA-mrj3-f2h4-7w45",
  "modified": "2026-01-08T21:35:17Z",
  "published": "2024-03-28T17:52:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/security/advisories/GHSA-mrj3-f2h4-7w45"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29888"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/pull/15697"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/pull/15694"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/commit/997f7ea4f576543ec88679a86bfe1b14f7f2ff26"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/commit/b7cecda8b603f7472790150bb4508c7b655946d4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/commit/d8ba545c16ad3153febc5b5be8fd2ef75da9fc95"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/commit/dccc2c842b4e2e09470929c80f07dc137e439182"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/commit/ef003c76a304c89ddb2dc65b7f1d5b3b2ba1c640"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/commit/47cedfd7d6524d79bdb04708edcdbb235874de6b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/commit/39abb0f4e4fe6503f81bfbb871227e4f70bcdd5c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/commit/22a1aa3ef0bc54156405f69146788016a7f3f761"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/releases/tag/3.14.61"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/releases/tag/3.15.37"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/releases/tag/3.16.34"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/releases/tag/3.17.32"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/releases/tag/3.18.28"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/releases/tag/3.19.15"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/saleor/saleor"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Saleor: Customers\u0027 addresses leak when using Warehouse as a `Pickup: Local stock only` delivery method"
}

GHSA-MXV9-646F-J7QV

Vulnerability from github – Published: 2026-06-11 21:31 – Updated: 2026-06-11 21:31
VLAI
Details

A privacy issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.4. An app may be able to access sensitive user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-11T19:16:27Z",
    "severity": "MODERATE"
  },
  "details": "A privacy issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.4. An app may be able to access sensitive user data.",
  "id": "GHSA-mxv9-646f-j7qv",
  "modified": "2026-06-11T21:31:55Z",
  "published": "2026-06-11T21:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30459"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122373"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P549-C3CG-F4QM

Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2025-04-10 21:31
VLAI
Details

By first using the AI chatbot in one tab and later activating it in another tab, the document title of the previous tab would leak into the chat prompt. This vulnerability affects Firefox < 137.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3035"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T13:15:41Z",
    "severity": "MODERATE"
  },
  "details": "By first using the AI chatbot in one tab and later activating it in another tab, the document title of the previous tab would leak into the chat prompt. This vulnerability affects Firefox \u003c 137.",
  "id": "GHSA-p549-c3cg-f4qm",
  "modified": "2025-04-10T21:31:07Z",
  "published": "2025-04-01T15:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3035"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1952268"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P6R2-HPHJ-V8H7

Vulnerability from github – Published: 2025-07-30 00:32 – Updated: 2025-11-03 21:34
VLAI
Details

The issue was addressed by adding additional logic. This issue is fixed in iPadOS 17.7.9, iOS 18.6 and iPadOS 18.6. Privacy Indicators for microphone or camera access may not be correctly displayed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43217"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-30T00:15:33Z",
    "severity": "MODERATE"
  },
  "details": "The issue was addressed by adding additional logic. This issue is fixed in iPadOS 17.7.9, iOS 18.6 and iPadOS 18.6. Privacy Indicators for microphone or camera access may not be correctly displayed.",
  "id": "GHSA-p6r2-hphj-v8h7",
  "modified": "2025-11-03T21:34:14Z",
  "published": "2025-07-30T00:32:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43217"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/124147"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/124148"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jul/30"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jul/31"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P88W-FHXW-XVCC

Vulnerability from github – Published: 2022-11-21 23:25 – Updated: 2022-11-28 15:50
VLAI
Summary
Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server
Details

Impact

The modifications rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the modifications rest endpoint (e.g., comments, page names...).

Patches

Users should upgrade to XWiki 14.6+, 14.4.3+, or13.10.8+. Older versions have not been patched.

Workarounds

No known workaround.

References

  • Patch: https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff
  • Jira issue: https://jira.xwiki.org/browse/XWIKI-19997

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rest-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.1"
            },
            {
              "fixed": "13.10.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rest-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "14.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rest-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.5.0"
            },
            {
              "fixed": "14.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-41936"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-21T23:25:00Z",
    "nvd_published_at": "2022-11-22T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe `modifications` rest endpoint does not filter out entries according to the user\u0027s rights. Therefore, information hidden from unauthorized users are exposed though the `modifications` rest endpoint (e.g., comments, page names...). \n\n### Patches\nUsers should upgrade to XWiki 14.6+, 14.4.3+,  or13.10.8+. Older versions have not been patched.\n\n### Workarounds\nNo known workaround.\n\n### References\n\n- Patch: https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff\n- Jira issue: https://jira.xwiki.org/browse/XWIKI-19997\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n- Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
  "id": "GHSA-p88w-fhxw-xvcc",
  "modified": "2022-11-28T15:50:31Z",
  "published": "2022-11-21T23:25:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p88w-fhxw-xvcc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41936"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-19997"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server"
}

Mitigation
Requirements

Identify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability and Accountability Act (HIPAA) [REF-342], General Data Protection Regulation (GDPR) [REF-1047], California Consumer Privacy Act (CCPA) [REF-1048], and others.

Mitigation
Architecture and Design

Carefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which private data can be handled unsafely, a common risk stems from misplaced trust. Programmers often trust the operating environment in which a program runs, and therefore believe that it is acceptable store private information on the file system, in the registry, or in other locally-controlled resources. However, even if access to certain resources is restricted, this does not guarantee that the individuals who do have access can be trusted.

Mitigation MIT-57
Implementation Operation

Strategy: Attack Surface Reduction

  • Some tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed.
  • When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metadata. Some formats have well-defined fields that could contain private data, such as Exchangeable image file format (Exif), which can contain potentially sensitive metadata such as geolocation, date, and time [REF-1515] [REF-1516].
CAPEC-464: Evercookie

An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim's machine in over ten places. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers.

CAPEC-467: Cross Site Identification

An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).

CAPEC-498: Probe iOS Screenshots

An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots created by the underlying OS while the application remains open in the background.

CAPEC-508: Shoulder Surfing

In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content "over the victim's shoulder", as implied by the name of this attack.