BaseIncomplete

CWE-359Exposure of Private Personal Information to an Unauthorized Actor

Category: auth

Description

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Common consequences· 1

  • Confidentiality — Read Application Data

Potential mitigations· 3

  • [Requirements]
  • [Architecture and Design]
  • [Implementation, Operation]

Related CAPEC attack patterns· 4

CAPEC-464CAPEC-467CAPEC-498CAPEC-508

References

  1. https://cwe.mitre.org/data/definitions/359.html

Exploits (incoming)4

TypeTargetConfidenceTier
AttackPatternCross Site Identificationcapec-467100%live
AttackPatternProbe iOS Screenshotscapec-498100%live
AttackPatternShoulder Surfingcapec-508100%live
AttackPatternEvercookiecapec-464100%live

Compliance frameworks addressing this (incoming)3

TypeTargetConfidenceTier
ComplianceControliso27701-a.7.4.1100%live
ComplianceControliso27701-a.7.4.5100%live
ComplianceControlowasp_llm_top10-llm02100%live

(incoming)2

TypeTargetConfidenceTier
VulnerabilityCVE-2025-11959cve-2025-119590%live
VulnerabilityCVE-2025-66172cve-2025-661720%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Exposure of Sensitive Information to an Unauthorized Actor
CWE
Missing Encryption of Sensitive Data
CWE
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE
Exposure of Sensitive Information Due to Incompatible Policies
CWE
Insufficiently Protected Credentials
CWE
Weak Authentication
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.