Common Weakness Enumeration

CWE-359

Allowed

Exposure of Private Personal Information to an Unauthorized Actor

Abstraction: Base · Status: Incomplete

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

323 vulnerabilities reference this CWE, most recent first.

CVE-2025-12536 (GCVE-0-2025-12536)

Vulnerability from cvelistv5 – Published: 2025-11-13 03:27 – Updated: 2026-04-08 17:11
VLAI
Title
SureForms <= 1.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure
Summary
The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows unauthenticated access to the metadata. This makes it possible for unauthenticated attackers to extract sensitive data including email notification configurations, which frequently contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that can be abused to inject malicious data into downstream systems.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
Impacted products
Credits
M Indra Purnama
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12536",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-13T14:27:17.734948Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-13T14:34:11.893Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SureForms \u2013 Contact Form, Payment Form \u0026 Other Custom Form Builder",
          "vendor": "brainstormforce",
          "versions": [
            {
              "lessThanOrEqual": "1.13.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "M Indra Purnama"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the \u0027_srfm_email_notification\u0027 post meta registration. This is due to setting the \u0027auth_callback\u0027 parameter to \u0027__return_true\u0027, which allows unauthenticated access to the metadata. This makes it possible for unauthenticated attackers to extract sensitive data including email notification configurations, which frequently contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that can be abused to inject malicious data into downstream systems."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-359",
              "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:11:47.222Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9e8e239a-0ddf-479e-b94b-7844ff6e9e81?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/sureforms/tags/1.13.1/inc/post-types.php#L892"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3391762/sureforms/trunk/inc/post-types.php"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-30T20:33:23.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-11-12T15:01:21.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "SureForms \u003c= 1.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-12536",
    "datePublished": "2025-11-13T03:27:39.017Z",
    "dateReserved": "2025-10-30T20:16:38.662Z",
    "dateUpdated": "2026-04-08T17:11:47.222Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11959 (GCVE-0-2025-11959)

Vulnerability from cvelistv5 – Published: 2025-11-11 14:11 – Updated: 2026-06-04 19:23
VLAI
Title
Improper Access Control in Premierturk's Excavation Management Information System
Summary
Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc. Excavation Management Information System allows Footprinting, Functionality Misuse. This issue affects Excavation Management Information System: before v.10.2025.01.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-552 - Files or Directories Accessible to External Parties
  • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
Impacted products
Date Public
2025-11-11 14:02
Credits
İbrahim YİĞİTSOY
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11959",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-12T14:54:23.229380Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-12T20:03:06.612Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Excavation Management Information System",
          "vendor": "Premierturk Information Technologies Inc.",
          "versions": [
            {
              "lessThan": "v.10.2025.01",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "\u0130brahim Y\u0130\u011e\u0130TSOY"
        }
      ],
      "datePublic": "2025-11-11T14:02:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc. Excavation Management Information System allows Footprinting, Functionality Misuse.\u003cp\u003eThis issue affects Excavation Management Information System: before v.10.2025.01.\u003c/p\u003e"
            }
          ],
          "value": "Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc. Excavation Management Information System allows Footprinting, Functionality Misuse.\n\nThis issue affects Excavation Management Information System: before v.10.2025.01."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-169",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-169 Footprinting"
            }
          ]
        },
        {
          "capecId": "CAPEC-212",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-212 Functionality Misuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-552",
              "description": "CWE-552 Files or Directories Accessible to External Parties",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-359",
              "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T19:23:05.823Z",
        "orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
        "shortName": "TR-CERT"
      },
      "references": [
        {
          "tags": [
            "government-resource",
            "broken-link"
          ],
          "url": "https://www.usom.gov.tr/bildirim/tr-25-0388"
        },
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0388"
        }
      ],
      "source": {
        "advisory": "TR-25-0388",
        "defect": [
          "TR-25-0388"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Improper Access Control in Premierturk\u0027s Excavation Management Information System",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
    "assignerShortName": "TR-CERT",
    "cveId": "CVE-2025-11959",
    "datePublished": "2025-11-11T14:11:50.111Z",
    "dateReserved": "2025-10-20T12:32:42.580Z",
    "dateUpdated": "2026-06-04T19:23:05.823Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11598 (GCVE-0-2025-11598)

Vulnerability from cvelistv5 – Published: 2026-02-03 11:33 – Updated: 2026-02-03 15:17
VLAI
Title
Exposure of Confidential Information in mObywatel application
Summary
In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended (reopening the app would require the user to log in). The data exposed depends on the last application view displayed before the application was minimized This issue was fixed in version 4.71.0
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
Impacted products
Vendor Product Version
Centralny Ośrodek Informatyki mObywatel Affected: 0 , < 4.71.0 (semver)
Create a notification for this product.
Date Public
2026-02-03 11:06
Credits
Maciej Krakowiak [DSecure.me Sp. z o.o]
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11598",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T15:12:43.910930Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T15:17:33.953Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "iOS"
          ],
          "product": "mObywatel",
          "vendor": "Centralny O\u015brodek Informatyki",
          "versions": [
            {
              "lessThan": "4.71.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Maciej Krakowiak [DSecure.me Sp. z o.o]"
        }
      ],
      "datePublic": "2026-02-03T11:06:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In mObywatel iOS application\u0026nbsp;an unauthorized user can use the App Switcher to view the account owner\u0027s personal information in the minimized app window, even after the login session has ended (reopening the app would require the user to log in). The data exposed depends on the last application view displayed before the application was minimized\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 4.71.0\u003cbr\u003e"
            }
          ],
          "value": "In mObywatel iOS application\u00a0an unauthorized user can use the App Switcher to view the account owner\u0027s personal information in the minimized app window, even after the login session has ended (reopening the app would require the user to log in). The data exposed depends on the last application view displayed before the application was minimized\n\nThis issue was fixed in version 4.71.0"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-508",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-508 Shoulder Surfing"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "PHYSICAL",
            "baseScore": 1,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-359",
              "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T11:33:55.993Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://info.mobywatel.gov.pl/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/posts/2026/02/CVE-2025-11598"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Exposure of Confidential Information in mObywatel application",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2025-11598",
    "datePublished": "2026-02-03T11:33:55.993Z",
    "dateReserved": "2025-10-10T12:41:40.283Z",
    "dateUpdated": "2026-02-03T15:17:33.953Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11145 (GCVE-0-2025-11145)

Vulnerability from cvelistv5 – Published: 2025-10-24 14:25 – Updated: 2026-06-04 19:44
VLAI
Title
User Enumeration in CBK Soft's enVision
Summary
Observable Discrepancy, Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc. EnVision allows Account Footprinting. This issue affects enVision: before 250566.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-203 - Observable Discrepancy
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
Impacted products
Date Public
2025-10-24 14:21
Credits
Emre AKTAŞ
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11145",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-28T14:04:56.630174Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-28T14:05:07.301Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "enVision",
          "vendor": "CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc.",
          "versions": [
            {
              "lessThan": "250566",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Emre AKTA\u015e"
        }
      ],
      "datePublic": "2025-10-24T14:21:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Observable Discrepancy, Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc. EnVision allows Account Footprinting.\u003cp\u003eThis issue affects enVision: before 250566.\u003c/p\u003e"
            }
          ],
          "value": "Observable Discrepancy, Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc. EnVision allows Account Footprinting.\n\nThis issue affects enVision: before 250566."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-575",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-575 Account Footprinting"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-203",
              "description": "CWE-203 Observable Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-359",
              "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T19:44:41.463Z",
        "orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
        "shortName": "TR-CERT"
      },
      "references": [
        {
          "tags": [
            "government-resource",
            "broken-link"
          ],
          "url": "https://www.usom.gov.tr/bildirim/tr-25-0361"
        },
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0361"
        }
      ],
      "source": {
        "advisory": "TR-25-0361",
        "defect": [
          "TR-25-0361"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "User Enumeration in CBK Soft\u0027s enVision",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
    "assignerShortName": "TR-CERT",
    "cveId": "CVE-2025-11145",
    "datePublished": "2025-10-24T14:25:37.498Z",
    "dateReserved": "2025-09-29T08:22:55.571Z",
    "dateUpdated": "2026-06-04T19:44:41.463Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-10450 (GCVE-0-2025-10450)

Vulnerability from cvelistv5 – Published: 2025-12-16 16:09 – Updated: 2026-04-01 01:09
VLAI
Title
Exposure of Private Personal Information to an Unauthorized Actor vulnerability in RTI Connext Professional (Core Libraries) allows Sniffing Network Traffic.
Summary
Exposure of Private Personal Information to an Unauthorized Actor vulnerability in RTI Connext Professional (Core Libraries) allows Sniffing Network Traffic.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.2.0 before 7.3.1.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
RTI
References
Impacted products
Vendor Product Version
RTI Connext Professional Affected: 7.4.0 , < 7.7.0 (custom)
Affected: 7.2.0 , < 7.3.1 (custom)
Create a notification for this product.
Date Public
2025-12-09 15:44
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-10450",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-16T16:34:29.767172Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-16T16:35:50.604Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Core Libraries"
          ],
          "packageName": "connext_professional",
          "packageURL": "pkg:generic/connext_professional",
          "product": "Connext Professional",
          "vendor": "RTI",
          "versions": [
            {
              "lessThan": "7.7.0",
              "status": "affected",
              "version": "7.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.3.1",
              "status": "affected",
              "version": "7.2.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:rti:connext_professional:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.7.0",
                  "versionStartIncluding": "7.4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:rti:connext_professional:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.3.1",
                  "versionStartIncluding": "7.2.0",
                  "vulnerable": true
                }
              ],
              "negated": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2025-12-09T15:44:25.740Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Exposure of Private Personal Information to an Unauthorized Actor vulnerability in RTI Connext Professional (Core Libraries) allows Sniffing Network Traffic.\u003cp\u003eThis issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.2.0 before 7.3.1.\u003c/p\u003e"
            }
          ],
          "value": "Exposure of Private Personal Information to an Unauthorized Actor vulnerability in RTI Connext Professional (Core Libraries) allows Sniffing Network Traffic.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.2.0 before 7.3.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-158",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-158 Sniffing Network Traffic"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "Security Extensions Enabled"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-359",
              "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T01:09:01.609Z",
        "orgId": "3f572a00-62e2-4423-959a-7ea25eff1638",
        "shortName": "RTI"
      },
      "references": [
        {
          "url": "https://www.rti.com/vulnerabilities/#cve-2025-10450"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Exposure of Private Personal Information to an Unauthorized Actor vulnerability in RTI Connext Professional (Core Libraries) allows Sniffing Network Traffic.",
      "x_generator": {
        "engine": "RTI Lubna 1.15.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3f572a00-62e2-4423-959a-7ea25eff1638",
    "assignerShortName": "RTI",
    "cveId": "CVE-2025-10450",
    "datePublished": "2025-12-16T16:09:30.693Z",
    "dateReserved": "2025-09-14T16:19:21.418Z",
    "dateUpdated": "2026-04-01T01:09:01.609Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-6017 (GCVE-0-2025-6017)

Vulnerability from cvelistv5 – Published: 2025-07-02 06:36 – Updated: 2025-11-20 21:07
VLAI
Title
Rhacm: users with clusterreader role can see credentials from managed-clusters
Summary
A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
URL Tags
https://access.redhat.com/security/cve/CVE-2025-6017 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2372362 issue-trackingx_refsource_REDHAT
Impacted products
Vendor Product Version
Affected: 0 , < 0.16.0 (semver)
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2     cpe:/a:redhat:acm:2
Create a notification for this product.
Date Public
2025-07-02 06:33
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-6017",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-02T13:13:28.618310Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-02T13:13:39.278Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/open-cluster-management-io/ocm",
          "defaultStatus": "unaffected",
          "packageName": "ocm",
          "versions": [
            {
              "lessThan": "0.16.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:acm:2"
          ],
          "defaultStatus": "affected",
          "packageName": "rhacm2/console-rhel8",
          "product": "Red Hat Advanced Cluster Management for Kubernetes 2",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-07-02T06:33:03.003Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-359",
              "description": "Exposure of Private Personal Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-20T21:07:40.898Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-6017"
        },
        {
          "name": "RHBZ#2372362",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372362"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-06-11T21:09:13.313Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-07-02T06:33:03.003Z",
          "value": "Made public."
        }
      ],
      "title": "Rhacm: users with clusterreader role can see credentials from managed-clusters",
      "x_redhatCweChain": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-6017",
    "datePublished": "2025-07-02T06:36:47.171Z",
    "dateReserved": "2025-06-11T21:09:21.420Z",
    "dateUpdated": "2025-11-20T21:07:40.898Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-5334 (GCVE-0-2025-5334)

Vulnerability from cvelistv5 – Published: 2025-05-29 14:47 – Updated: 2025-06-10 18:24
VLAI
Summary
Exposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager allows an authenticated user to gain unauthorized access to private personal information. Under specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users. This issue affects the following versions : * Remote Desktop Manager Windows 2025.1.34.0 and earlier * Remote Desktop Manager macOS 2025.1.16.3 and earlier * Remote Desktop Manager Android 2025.1.3.3 and earlier * Remote Desktop Manager iOS 2025.1.6.0 and earlier
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-5334",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-29T14:59:46.593959Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-200",
                "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-29T15:02:42.279Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "Remote Desktop Manager",
          "vendor": "Devolutions",
          "versions": [
            {
              "lessThanOrEqual": "2025.1.34.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Android"
          ],
          "product": "Remote Desktop Manager",
          "vendor": "Devolutions",
          "versions": [
            {
              "lessThanOrEqual": "2025.1.3.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "iOS"
          ],
          "product": "Remote Desktop Manager",
          "vendor": "Devolutions",
          "versions": [
            {
              "lessThanOrEqual": "2025.1.5.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Remote Desktop Manager",
          "vendor": "Devolutions",
          "versions": [
            {
              "lessThanOrEqual": "2025.1.16.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eExposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager\nallows an authenticated user to gain unauthorized access to private personal information. \n\n\n\nUnder specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cp\u003eThis issue affects the following versions :\u003c/p\u003e\u003cul\u003e\u003cli\u003eRemote Desktop Manager Windows 2025.1.34.0 and earlier\u003c/li\u003e\u003cli\u003e\nRemote Desktop Manager macOS 2025.1.16.3 and earlier\n\n\u003cbr\u003e\u003c/li\u003e\u003cli\u003e\nRemote Desktop Manager Android 2025.1.3.3 and earlier\u003c/li\u003e\u003cli\u003e\nRemote Desktop Manager iOS 2025.1.6.0 and earlier\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Exposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager\nallows an authenticated user to gain unauthorized access to private personal information. \n\n\n\nUnder specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users.\n\n\n\n\nThis issue affects the following versions :\n\n  *  Remote Desktop Manager Windows 2025.1.34.0 and earlier\n  *  \nRemote Desktop Manager macOS 2025.1.16.3 and earlier\n\n\n\n  *  \nRemote Desktop Manager Android 2025.1.3.3 and earlier\n  *  \nRemote Desktop Manager iOS 2025.1.6.0 and earlier"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-359",
              "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-10T18:24:21.477Z",
        "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "shortName": "DEVOLUTIONS"
      },
      "references": [
        {
          "url": "https://devolutions.net/security/advisories/DEVO-2025-0009"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
    "assignerShortName": "DEVOLUTIONS",
    "cveId": "CVE-2025-5334",
    "datePublished": "2025-05-29T14:47:25.817Z",
    "dateReserved": "2025-05-29T14:04:27.697Z",
    "dateUpdated": "2025-06-10T18:24:21.477Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-5009 (GCVE-0-2025-5009)

Vulnerability from cvelistv5 – Published: 2025-10-08 15:31 – Updated: 2026-01-22 12:33
VLAI
Title
Information Disclosure in Gemini iOS App
Summary
In Gemini iOS, when a user shared a snippet of a conversation, it would share the entire conversation via a sharable public link that contained the entire conversation history and not just the snippet.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
Impacted products
Vendor Product Version
Google Gemini Affected: 0
Create a notification for this product.
Credits
Warisjeet Singh (sin99xx)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5009",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-08T15:55:49.577286Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-08T15:56:00.236Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "iOS"
          ],
          "product": "Gemini",
          "vendor": "Google",
          "versions": [
            {
              "status": "affected",
              "version": "0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Warisjeet Singh (sin99xx)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Gemini iOS, when a user shared a snippet of a conversation, it would share the entire conversation via a sharable public link that contained the entire conversation history and not just the snippet."
            }
          ],
          "value": "In Gemini iOS, when a user shared a snippet of a conversation, it would share the entire conversation via a sharable public link that contained the entire conversation history and not just the snippet."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-410",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-410 Information Elicitation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "ADJACENT",
            "baseScore": 1,
            "baseSeverity": "LOW",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-359",
              "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-22T12:33:26.502Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://medium.com/@warisjeet31/google-gemini-ios-vulnerability-public-link-sharing-silently-leaks-entire-conversations-e1f80cbea25c"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Information Disclosure in Gemini iOS App",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2025-5009",
    "datePublished": "2025-10-08T15:31:22.903Z",
    "dateReserved": "2025-05-20T13:43:12.869Z",
    "dateUpdated": "2026-01-22T12:33:26.502Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-3950 (GCVE-0-2025-3950)

Vulnerability from cvelistv5 – Published: 2026-01-09 10:04 – Updated: 2026-01-09 14:42
VLAI
Title
Exposure of Private Personal Information to an Unauthorized Actor in GitLab
Summary
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
URL Tags
https://gitlab.com/gitlab-org/gitlab/-/issues/537697 issue-trackingpermissions-required
https://hackerone.com/reports/3106477 technical-descriptionexploitpermissions-required
https://about.gitlab.com/releases/2026/01/07/patc…
Impacted products
Vendor Product Version
GitLab GitLab Affected: 10.3 , < 18.5.5 (semver)
Affected: 18.6 , < 18.6.3 (semver)
Affected: 18.7 , < 18.7.1 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Thanks [rogerace](https://hackerone.com/rogerace) for reporting this vulnerability through our HackerOne bug bounty program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-3950",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-09T14:39:11.325169Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-09T14:42:21.828Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "18.5.5",
              "status": "affected",
              "version": "10.3",
              "versionType": "semver"
            },
            {
              "lessThan": "18.6.3",
              "status": "affected",
              "version": "18.6",
              "versionType": "semver"
            },
            {
              "lessThan": "18.7.1",
              "status": "affected",
              "version": "18.7",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thanks [rogerace](https://hackerone.com/rogerace) for reporting this vulnerability through our HackerOne bug bounty program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-359",
              "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-09T10:04:51.264Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "GitLab Issue #537697",
          "tags": [
            "issue-tracking",
            "permissions-required"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/537697"
        },
        {
          "name": "HackerOne Bug Bounty Report #3106477",
          "tags": [
            "technical-description",
            "exploit",
            "permissions-required"
          ],
          "url": "https://hackerone.com/reports/3106477"
        },
        {
          "url": "https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 18.5.5, 18.6.3, 18.7.1 or above."
        }
      ],
      "title": "Exposure of Private Personal Information to an Unauthorized Actor in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2025-3950",
    "datePublished": "2026-01-09T10:04:51.264Z",
    "dateReserved": "2025-04-25T17:02:14.047Z",
    "dateUpdated": "2026-01-09T14:42:21.828Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-1030 (GCVE-0-2025-1030)

Vulnerability from cvelistv5 – Published: 2025-12-18 14:22 – Updated: 2026-06-06 07:00
VLAI
Title
Sensitive Data Exposure in Utarit Informatics' SoliClub
Summary
Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Utarit Informatics Services Inc. SoliClub allows Query System for Information. This issue affects SoliClub: from 5.2.4 before 5.3.7.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
Impacted products
Vendor Product Version
Utarit Informatics Services Inc. SoliClub Affected: 5.2.4 , < 5.3.7 (custom)
Create a notification for this product.
Date Public
2025-12-18 14:18
Credits
Mustafa Anıl YILDIRIM
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1030",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-18T15:30:57.091594Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-18T15:32:52.794Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SoliClub",
          "vendor": "Utarit Informatics Services Inc.",
          "versions": [
            {
              "lessThan": "5.3.7",
              "status": "affected",
              "version": "5.2.4",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mustafa An\u0131l YILDIRIM"
        }
      ],
      "datePublic": "2025-12-18T14:18:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Utarit Informatics Services Inc. SoliClub allows Query System for Information.\u003cp\u003eThis issue affects SoliClub: from 5.2.4 before 5.3.7.\u003c/p\u003e"
            }
          ],
          "value": "Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Utarit Informatics Services Inc. SoliClub allows Query System for Information.\n\nThis issue affects SoliClub: from 5.2.4 before 5.3.7."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-54",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-54 Query System for Information"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-359",
              "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-06T07:00:43.527Z",
        "orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
        "shortName": "TR-CERT"
      },
      "references": [
        {
          "tags": [
            "government-resource",
            "broken-link"
          ],
          "url": "https://www.usom.gov.tr/bildirim/tr-25-0466"
        },
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0466"
        }
      ],
      "source": {
        "advisory": "TR-25-0466",
        "defect": [
          "TR-25-0466"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Sensitive Data Exposure in Utarit Informatics\u0027 SoliClub",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
    "assignerShortName": "TR-CERT",
    "cveId": "CVE-2025-1030",
    "datePublished": "2025-12-18T14:22:54.530Z",
    "dateReserved": "2025-02-04T14:41:48.421Z",
    "dateUpdated": "2026-06-06T07:00:43.527Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Requirements

Identify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability and Accountability Act (HIPAA) [REF-342], General Data Protection Regulation (GDPR) [REF-1047], California Consumer Privacy Act (CCPA) [REF-1048], and others.

Mitigation
Architecture and Design

Carefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which private data can be handled unsafely, a common risk stems from misplaced trust. Programmers often trust the operating environment in which a program runs, and therefore believe that it is acceptable store private information on the file system, in the registry, or in other locally-controlled resources. However, even if access to certain resources is restricted, this does not guarantee that the individuals who do have access can be trusted.

Mitigation MIT-57
Implementation Operation

Strategy: Attack Surface Reduction

  • Some tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed.
  • When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metadata. Some formats have well-defined fields that could contain private data, such as Exchangeable image file format (Exif), which can contain potentially sensitive metadata such as geolocation, date, and time [REF-1515] [REF-1516].
CAPEC-464: Evercookie

An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim's machine in over ten places. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers.

CAPEC-467: Cross Site Identification

An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).

CAPEC-498: Probe iOS Screenshots

An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots created by the underlying OS while the application remains open in the background.

CAPEC-508: Shoulder Surfing

In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content "over the victim's shoulder", as implied by the name of this attack.