Campus Recruiting
Monthly
Information disclosure in Johnson & Johnson's Campus Recruiting web application (versions prior to the 2025-10-31 fix) allows remote unauthenticated attackers to view sensitive data submitted by recruited students as well as private notes interviewers entered about those candidates. The flaw stems from the server relying on client-side restrictions rather than enforcing authorization server-side (CWE-602). No CISA KEV listing or formal exploit code is published, though an independent security researcher (Eaton Works) documented the issue in a public write-up.
Information disclosure in Johnson & Johnson's Campus Recruiting web application (versions prior to the 2025-10-31 fix) allows remote unauthenticated attackers to view sensitive data submitted by recruited students as well as private notes interviewers entered about those candidates. The flaw stems from the server relying on client-side restrictions rather than enforcing authorization server-side (CWE-602). No CISA KEV listing or formal exploit code is published, though an independent security researcher (Eaton Works) documented the issue in a public write-up.