CWE-359
AllowedExposure of Private Personal Information to an Unauthorized Actor
Abstraction: Base · Status: Incomplete
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
323 vulnerabilities reference this CWE, most recent first.
GHSA-QPP2-2MCP-2WM5
Vulnerability from github – Published: 2022-04-08 22:00 – Updated: 2022-04-19 18:26Impact
A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents.
Patches
The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1.
Workarounds
There is no known workaround for this problem.
References
https://jira.xwiki.org/browse/XWIKI-16544
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at our security mailing list
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-web"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "12.10.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-web"
},
"ranges": [
{
"events": [
{
"introduced": "13.0.0"
},
{
"fixed": "13.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-web"
},
"ranges": [
{
"events": [
{
"introduced": "13.5.0"
},
{
"fixed": "13.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24820"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-306",
"CWE-359"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-08T22:00:54Z",
"nvd_published_at": "2022-04-08T20:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nA guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents.\n\n### Patches\nThe problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1.\n\n### Workarounds\nThere is no known workaround for this problem.\n\n### References\nhttps://jira.xwiki.org/browse/XWIKI-16544\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki](https://jira.xwiki.org)\n* Email us at [our security mailing list](mailto:security@xwiki.org)\n",
"id": "GHSA-qpp2-2mcp-2wm5",
"modified": "2022-04-19T18:26:55Z",
"published": "2022-04-08T22:00:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qpp2-2mcp-2wm5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24820"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-16544"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Unauthenticated user can list hidden document from multiple velocity templates in XWiki"
}
GHSA-QQ98-52PP-9245
Vulnerability from github – Published: 2023-10-25 18:32 – Updated: 2024-04-04 08:54When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request
{
"affected": [],
"aliases": [
"CVE-2023-34085"
],
"database_specific": {
"cwe_ids": [
"CWE-359"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-25T18:17:28Z",
"severity": "MODERATE"
},
"details": "When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request\n",
"id": "GHSA-qq98-52pp-9245",
"modified": "2024-04-04T08:54:42Z",
"published": "2023-10-25T18:32:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34085"
},
{
"type": "WEB",
"url": "https://docs.pingidentity.com/r/en-us/pingfederate-113/gyk1689105783244"
},
{
"type": "WEB",
"url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QQJM-7PV6-7Q82
Vulnerability from github – Published: 2026-06-26 03:31 – Updated: 2026-06-26 03:31A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERR_PROXY_TUNNEL error messages.
When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
{
"affected": [],
"aliases": [
"CVE-2026-48615"
],
"database_specific": {
"cwe_ids": [
"CWE-359"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T02:16:52Z",
"severity": "MODERATE"
},
"details": "A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.\n\nWhen proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.\n\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"id": "GHSA-qqjm-7pv6-7q82",
"modified": "2026-06-26T03:31:29Z",
"published": "2026-06-26T03:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48615"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QR57-VVQ6-CV59
Vulnerability from github – Published: 2024-04-18 21:30 – Updated: 2024-04-18 21:30Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-29986"
],
"database_specific": {
"cwe_ids": [
"CWE-359"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-18T19:15:11Z",
"severity": "MODERATE"
},
"details": "Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability",
"id": "GHSA-qr57-vvq6-cv59",
"modified": "2024-04-18T21:30:31Z",
"published": "2024-04-18T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29986"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29986"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QXH6-94W6-9R5P
Vulnerability from github – Published: 2026-06-15 17:25 – Updated: 2026-06-15 17:25An information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm.
This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin.
Impact
If an application configured with the Angular Service Worker fetches assets with credential headers (such as Authorization header), and one of those requests is redirected to a different origin, the Service Worker will forward those headers to the new origin. This exposes critical credentials and session identifiers to unauthorized third-party servers.
Attack Preconditions
For this vulnerability to be exploitable:
1. Vulnerable Configuration: The application must utilize the @angular/service-worker package to fetch assets.
2. Credentialed Requests: The application must attach sensitive request headers (like Authorization, Proxy-Authorization, or rely on cookies) to asset-group requests.
3. Redirect Flow: These requests must encounter a cross-origin redirect to an attacker-controlled or untrusted domain.
Patched Versions
- 22.0.1
- 21.2.17
- 20.3.25
Credits
This vulnerability was discovered and reported by CodeMender from Google DeepMind.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@angular/service-worker"
},
"ranges": [
{
"events": [
{
"introduced": "22.0.0-next.0"
},
{
"fixed": "22.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@angular/service-worker"
},
"ranges": [
{
"events": [
{
"introduced": "21.0.0-next.0"
},
{
"fixed": "21.2.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@angular/service-worker"
},
"ranges": [
{
"events": [
{
"introduced": "20.0.0-next.0"
},
{
"fixed": "20.3.25"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@angular/service-worker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "19.2.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54264"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-359"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T17:25:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "An information disclosure vulnerability exists in the `@angular/service-worker` package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. \n\nThis allows a remote attacker to obtain sensitive credentials (e.g., `Authorization` tokens, `Proxy-Authorization` credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin.\n\n### Impact\nIf an application configured with the Angular Service Worker fetches assets with credential headers (such as `Authorization` header), and one of those requests is redirected to a different origin, the Service Worker will forward those headers to the new origin. This exposes critical credentials and session identifiers to unauthorized third-party servers.\n\n### Attack Preconditions\nFor this vulnerability to be exploitable:\n1. **Vulnerable Configuration:** The application must utilize the `@angular/service-worker` package to fetch assets.\n2. **Credentialed Requests:** The application must attach sensitive request headers (like `Authorization`, `Proxy-Authorization`, or rely on cookies) to asset-group requests.\n3. **Redirect Flow:** These requests must encounter a cross-origin redirect to an attacker-controlled or untrusted domain.\n\n### Patched Versions\n* 22.0.1 \n* 21.2.17 \n* 20.3.25\n\n### Credits\nThis vulnerability was discovered and reported by [CodeMender from Google DeepMind](https://deepmind.google/blog/introducing-codemender-an-ai-agent-for-code-security/).",
"id": "GHSA-qxh6-94w6-9r5p",
"modified": "2026-06-15T17:25:55Z",
"published": "2026-06-15T17:25:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p"
},
{
"type": "WEB",
"url": "https://github.com/angular/angular/pull/69029"
},
{
"type": "WEB",
"url": "https://github.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08"
},
{
"type": "PACKAGE",
"url": "https://github.com/angular/angular"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@angular/service-worker: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker"
}
GHSA-R2HW-74XV-4GQP
Vulnerability from github – Published: 2023-10-24 19:25 – Updated: 2024-10-07 15:09Impact
In Nautobot 2.0.x, certain REST API endpoints, in combination with the ?depth=<N> query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints.
The passwords are not exposed in plaintext. Nautobot 1.x is not affected by this vulnerability.
Example:
GET /api/users/permissions/?depth=1
HTTP 200 OK
API-Version: 2.0
Allow: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 1,
"next": null,
"previous": null,
"results": [
{
"id": "28ea85e4-5039-4389-94f1-9a3e1c787149",
"object_type": "users.objectpermission",
"display": "Run Job",
"url": "http://localhost:8080/api/users/permissions/28ea85e4-5039-4389-94f1-9a3e1c787149/",
"natural_slug": "run-job_28ea",
"object_types": [
"extras.job"
],
"name": "Run Job",
"description": "",
"enabled": true,
"actions": [
"run",
"view"
],
"constraints": null,
"groups": [
{
"id": 1,
"object_type": "auth.group",
"display": "A Group",
"url": "http://localhost:8080/api/users/groups/1/",
"natural_slug": "a-group_1",
"name": "A Group"
}
],
"users": [
{
"id": "e73288e2-1326-4bfb-8fea-041290dd7473",
"object_type": "users.user",
"display": "admin",
"url": "http://localhost:8080/api/users/users/e73288e2-1326-4bfb-8fea-041290dd7473/",
"natural_slug": "admin_e732",
"password": "pbkdf2_sha256$260000$jQb7hA48HYJ0MLWQgOZiBl$b72+gz6SpZiRpxceRQfT5Zv/aUac0eJ4NdBTZ8ECOow=",
"last_login": "2023-10-18T14:19:08.780857Z",
"is_superuser": true,
"username": "admin",
"first_name": "",
"last_name": "",
"email": "",
"is_staff": true,
"is_active": true,
"date_joined": "2023-10-18T14:18:55.854023Z",
"config_data": {}
}
]
}
]
}
Note the "password" field present in the nested
"users"data.
This information is not exposed during direct access to the /api/users/users/ endpoint, but can be exposed through any endpoint which contains a nested reference to User object(s) when an appropriate ?depth=<N> query parameter is specified. Known impacted endpoints include:
/api/dcim/rack-reservations/?depth=1(or any greaterdepthvalue)/api/extras/job-results/?depth=1(or any greaterdepthvalue)/api/extras/notes/?depth=1(or any greaterdepthvalue)/api/extras/object-changes/?depth=1(or any greaterdepthvalue)/api/extras/scheduled-jobs/?depth=1(or any greaterdepthvalue)/api/users/permissions/?depth=1(or any greaterdepthvalue)
but this is not necessarily an exhaustive list.
Plugin REST API endpoints for any models with a foreign key to the User model may also be impacted by this issue.
The patch identified below mitigates the issue for both Nautobot core REST APIs and plugin REST APIs; no code change in plugins is required to address this issue.
Patches
Refer to https://github.com/nautobot/nautobot/pull/4692 for the patch that resolved this issue.
Workarounds
Upgrading to v2.0.3 or later, or applying the above patch, is the preferred workaround for this issue; while it could also be partially mitigated by updating permissions to deny user access to the above list of impacted REST API endpoints, that is not recommended as other endpoints may also expose this issue until patched.
References
https://github.com/nautobot/nautobot/pull/4692
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "nautobot"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46128"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-312",
"CWE-359"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-24T19:25:24Z",
"nvd_published_at": "2023-10-25T18:17:36Z",
"severity": "HIGH"
},
"details": "### Impact\n\nIn Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=\u003cN\u003e` query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints. \n\n\u003e The passwords are *not* exposed in plaintext. \n\u003e Nautobot 1.x is *not* affected by this vulnerability.\n\nExample:\n\n```\nGET /api/users/permissions/?depth=1\n\nHTTP 200 OK\nAPI-Version: 2.0\nAllow: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS\nContent-Type: application/json\nVary: Accept\n```\n\n```json\n{\n \"count\": 1,\n \"next\": null,\n \"previous\": null,\n \"results\": [\n {\n \"id\": \"28ea85e4-5039-4389-94f1-9a3e1c787149\",\n \"object_type\": \"users.objectpermission\",\n \"display\": \"Run Job\",\n \"url\": \"http://localhost:8080/api/users/permissions/28ea85e4-5039-4389-94f1-9a3e1c787149/\",\n \"natural_slug\": \"run-job_28ea\",\n \"object_types\": [\n \"extras.job\"\n ],\n \"name\": \"Run Job\",\n \"description\": \"\",\n \"enabled\": true,\n \"actions\": [\n \"run\",\n \"view\"\n ],\n \"constraints\": null,\n \"groups\": [\n {\n \"id\": 1,\n \"object_type\": \"auth.group\",\n \"display\": \"A Group\",\n \"url\": \"http://localhost:8080/api/users/groups/1/\",\n \"natural_slug\": \"a-group_1\",\n \"name\": \"A Group\"\n }\n ],\n \"users\": [\n {\n \"id\": \"e73288e2-1326-4bfb-8fea-041290dd7473\",\n \"object_type\": \"users.user\",\n \"display\": \"admin\",\n \"url\": \"http://localhost:8080/api/users/users/e73288e2-1326-4bfb-8fea-041290dd7473/\",\n \"natural_slug\": \"admin_e732\",\n \"password\": \"pbkdf2_sha256$260000$jQb7hA48HYJ0MLWQgOZiBl$b72+gz6SpZiRpxceRQfT5Zv/aUac0eJ4NdBTZ8ECOow=\",\n \"last_login\": \"2023-10-18T14:19:08.780857Z\",\n \"is_superuser\": true,\n \"username\": \"admin\",\n \"first_name\": \"\",\n \"last_name\": \"\",\n \"email\": \"\",\n \"is_staff\": true,\n \"is_active\": true,\n \"date_joined\": \"2023-10-18T14:18:55.854023Z\",\n \"config_data\": {}\n }\n ]\n }\n ]\n}\n```\n\n\u003e Note the \"password\" field present in the nested `\"users\"` data.\n\nThis information is not exposed during direct access to the `/api/users/users/` endpoint, but can be exposed through any endpoint which contains a nested reference to User object(s) when an appropriate `?depth=\u003cN\u003e` query parameter is specified. Known impacted endpoints include:\n\n- `/api/dcim/rack-reservations/?depth=1`(or any greater `depth` value)\n- `/api/extras/job-results/?depth=1` (or any greater `depth` value)\n- `/api/extras/notes/?depth=1` (or any greater `depth` value)\n- `/api/extras/object-changes/?depth=1` (or any greater `depth` value)\n- `/api/extras/scheduled-jobs/?depth=1` (or any greater `depth` value)\n- `/api/users/permissions/?depth=1` (or any greater `depth` value)\n\nbut this is not necessarily an exhaustive list. \n\n\u003e Plugin REST API endpoints for any models with a foreign key to the User model may also be impacted by this issue.\n\n\u003e The patch identified below mitigates the issue for both Nautobot core REST APIs and plugin REST APIs; no code change in plugins is required to address this issue.\n\n### Patches\n\nRefer to https://github.com/nautobot/nautobot/pull/4692 for the patch that resolved this issue.\n\n### Workarounds\n\nUpgrading to v2.0.3 or later, or applying the above patch, is the preferred workaround for this issue; while it could also be partially mitigated by updating permissions to deny user access to the above list of impacted REST API endpoints, that is not recommended as other endpoints may also expose this issue until patched.\n\n### References\n\nhttps://github.com/nautobot/nautobot/pull/4692\n",
"id": "GHSA-r2hw-74xv-4gqp",
"modified": "2024-10-07T15:09:56Z",
"published": "2023-10-24T19:25:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hw-74xv-4gqp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46128"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/pull/4692"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/commit/1ce8e5c658a075c29554d517cd453675e5d40d71"
},
{
"type": "PACKAGE",
"url": "https://github.com/nautobot/nautobot"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2023-220.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Nautobot vulnerable to exposure of hashed user passwords via REST API"
}
GHSA-R38M-CGPG-QJ69
Vulnerability from github – Published: 2025-08-05 17:12 – Updated: 2025-08-06 14:31Impact
Any user with edit right on a page of the wiki can create an XClass with a database list property that references a password property, for example the password hash that is stored for users. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view.
Patches
This vulnerability has been pached in XWiki 16.4.7, 16.10.5, and 17.2.0 by disallowing the use of password properties in database list properties. Additionally, queries for email properties are disallowed, too, when email obfuscation is enabled.
Workarounds
We're not aware of any workarounds.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "9.8-rc-1"
},
{
"fixed": "16.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "16.5.0-rc-1"
},
{
"fixed": "16.10.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0-rc-1"
},
{
"fixed": "17.2.0-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-legacy-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "9.8-rc-1"
},
{
"fixed": "16.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-legacy-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "16.5.0-rc-1"
},
{
"fixed": "16.10.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-legacy-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0-rc-1"
},
{
"fixed": "17.2.0-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54124"
],
"database_specific": {
"cwe_ids": [
"CWE-359"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-05T17:12:03Z",
"nvd_published_at": "2025-08-06T00:15:30Z",
"severity": "HIGH"
},
"details": "### Impact\nAny user with edit right on a page of the wiki can create an XClass with a database list property that references a password property, for example the password hash that is stored for users. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view.\n\n### Patches\nThis vulnerability has been pached in XWiki 16.4.7, 16.10.5, and 17.2.0 by disallowing the use of password properties in database list properties. Additionally, queries for email properties are disallowed, too, when email obfuscation is enabled.\n\n### Workarounds\nWe\u0027re not aware of any workarounds.",
"id": "GHSA-r38m-cgpg-qj69",
"modified": "2025-08-06T14:31:18Z",
"published": "2025-08-05T17:12:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r38m-cgpg-qj69"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54124"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-22811"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XWiki leaks password hashes and other accessible password properties"
}
GHSA-R6CM-WG48-RH2R
Vulnerability from github – Published: 2022-03-10 00:00 – Updated: 2022-04-17 17:13The software is a booking management system that has a public form to place bookings, and a private area for the calendar and management of services, users, settings, etc. There is a backend API that allows data manipulation, including listing the appointments for a specific time range. This happens on this endpoint: /index.php/backend_api/ajax_get_calendar_events Unfortunately, there is no authentication / permissions-check on that endpoint, the only required parameters in a POST request are "startDate", "endDate" and "csrfToken". Because the csrfToken can be obtained by any unauthenticated user just visiting the public form (and is valid for the backend as well), any attacker can query the backend API and obtain all sorts of private information about the appointment, in JSON format.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "alextselegidis/easyappointments"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0482"
],
"database_specific": {
"cwe_ids": [
"CWE-359",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-10T21:50:52Z",
"nvd_published_at": "2022-03-09T11:15:00Z",
"severity": "CRITICAL"
},
"details": "The software is a booking management system that has a public form to place bookings, and a private area for the calendar and management of services, users, settings, etc. There is a backend API that allows data manipulation, including listing the appointments for a specific time range. This happens on this endpoint: /index.php/backend_api/ajax_get_calendar_events Unfortunately, there is no authentication / permissions-check on that endpoint, the only required parameters in a POST request are \"startDate\", \"endDate\" and \"csrfToken\". Because the csrfToken can be obtained by any unauthenticated user just visiting the public form (and is valid for the backend as well), any attacker can query the backend API and obtain all sorts of private information about the appointment, in JSON format.",
"id": "GHSA-r6cm-wg48-rh2r",
"modified": "2022-04-17T17:13:16Z",
"published": "2022-03-10T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0482"
},
{
"type": "WEB",
"url": "https://github.com/alextselegidis/easyappointments/commit/44af526a6fc5e898bc1e0132b2af9eb3a9b2c466"
},
{
"type": "PACKAGE",
"url": "https://github.com/alextselegidis/easyappointments"
},
{
"type": "WEB",
"url": "https://github.com/alextselegidis/easyappointments/releases/tag/1.4.3"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26"
},
{
"type": "WEB",
"url": "https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/166701/Easy-Appointments-Information-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments"
}
GHSA-R7MF-5W8W-4X2H
Vulnerability from github – Published: 2024-09-19 06:31 – Updated: 2024-09-26 18:31This vulnerability exists in LD DP Back Office due to improper validation of certain parameters “cCdslClicentcode” and “cLdClientCode” in the API endpoint. An authenticated remote attacker could exploit this vulnerability by manipulating parameters in the API request body leading to exposure of sensitive information belonging to other users.
{
"affected": [],
"aliases": [
"CVE-2024-47085"
],
"database_specific": {
"cwe_ids": [
"CWE-359"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-19T06:15:02Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in LD DP Back Office due to improper validation of certain parameters \u201ccCdslClicentcode\u201d and \u201ccLdClientCode\u201d in the API endpoint. An authenticated remote attacker could exploit this vulnerability by manipulating parameters in the API request body leading to exposure of sensitive information belonging to other users.",
"id": "GHSA-r7mf-5w8w-4x2h",
"modified": "2024-09-26T18:31:43Z",
"published": "2024-09-19T06:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47085"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0296"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R93J-3MMP-PX57
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2025-10-21 22:38An issue was discovered in Mattermost Server before 3.1.1. The initial_load API disclosed unnecessary personal information.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-11066"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-359"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-21T22:38:28Z",
"nvd_published_at": "2020-06-19T20:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Mattermost Server before 3.1.1. The initial_load API disclosed unnecessary personal information.",
"id": "GHSA-r93j-3mmp-px57",
"modified": "2025-10-21T22:38:56Z",
"published": "2022-05-24T17:21:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11066"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/f89e7c6d543a82d6078c2ca0f892914d7976a6f5"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Mattermost Server: initial_load API exposes unnecessary information"
}
Mitigation
Identify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability and Accountability Act (HIPAA) [REF-342], General Data Protection Regulation (GDPR) [REF-1047], California Consumer Privacy Act (CCPA) [REF-1048], and others.
Mitigation
Carefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which private data can be handled unsafely, a common risk stems from misplaced trust. Programmers often trust the operating environment in which a program runs, and therefore believe that it is acceptable store private information on the file system, in the registry, or in other locally-controlled resources. However, even if access to certain resources is restricted, this does not guarantee that the individuals who do have access can be trusted.
Mitigation MIT-57
Strategy: Attack Surface Reduction
- Some tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed.
- When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metadata. Some formats have well-defined fields that could contain private data, such as Exchangeable image file format (Exif), which can contain potentially sensitive metadata such as geolocation, date, and time [REF-1515] [REF-1516].
CAPEC-464: Evercookie
An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim's machine in over ten places. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers.
CAPEC-467: Cross Site Identification
An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).
CAPEC-498: Probe iOS Screenshots
An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots created by the underlying OS while the application remains open in the background.
CAPEC-508: Shoulder Surfing
In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content "over the victim's shoulder", as implied by the name of this attack.