Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable web app with no auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is pure data exposure, so C:H with I:N/A:N and no scope change.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Johnson & Johnson Campus Recruiting before 2025-10-31 allows viewing of data provided by recruited students, and notes entered about students by interviewers.
AnalysisAI
Information disclosure in Johnson & Johnson's Campus Recruiting web application (versions prior to the 2025-10-31 fix) allows remote unauthenticated attackers to view sensitive data submitted by recruited students as well as private notes interviewers entered about those candidates. The flaw stems from the server relying on client-side restrictions rather than enforcing authorization server-side (CWE-602). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network reachability to the Johnson & Johnson Campus Recruiting web application as it existed before 2025-10-31 - no authentication, no privileges, and no user interaction (AV:N/AC:L/PR:N/UI:N), consistent with the server relying on client-side rather than server-side access enforcement (CWE-602). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward a moderate-but-real confidentiality risk rather than a critical infrastructure threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker browses to the recruiting application and, by directly requesting candidate record endpoints or altering identifiers/parameters that the front-end normally hides, retrieves student application data and interviewers' private notes without logging in. Given the network vector and low attack complexity, this requires only a web client and basic request manipulation; a public researcher write-up describing the technique exists, but no packaged exploit tool was provided in the source data. |
| Remediation | Patch available per vendor advisory: Johnson & Johnson is reported to have remediated the issue on/before 2025-10-31, so any current production instance of the hosted application should already incorporate the fix - confirm directly with J&J that your tenant/instance was patched. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all affected application instances; assess scope of exposed data; prepare candidate notification strategy. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39643
GHSA-q2wr-7pw7-p6fg