CVE-2019-14280
In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn’t stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.
Date published : 2019-07-25
http://packetstormsecurity.com/files/154276/Craft-CMS-2.7.9-3.2.5-Information-Disclosure.html
https://github.com/craftcms/cms/blob/develop-v2/CHANGELOG-v2.md#2710—2019-07-24