Common Weakness Enumeration

CWE-525

Allowed

Use of Web Browser Cache Containing Sensitive Information

Abstraction: Variant · Status: Incomplete

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

60 vulnerabilities reference this CWE, most recent first.

GHSA-JVQQ-64W2-QQ2F

Vulnerability from github – Published: 2024-06-29 06:31 – Updated: 2024-06-29 06:31
VLAI
Details

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Software Suite 1.10.12.0 through 1.10.21.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 233673.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-525"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-28T19:15:03Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Software Suite 1.10.12.0 through 1.10.21.0 allows web pages to be stored locally which can be read by another user on the system.  IBM X-Force ID:  233673.",
  "id": "GHSA-jvqq-64w2-qq2f",
  "modified": "2024-06-29T06:31:39Z",
  "published": "2024-06-29T06:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38383"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/233673"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7158986"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JXRX-2M3C-2G9F

Vulnerability from github – Published: 2025-01-26 15:30 – Updated: 2025-01-26 15:30
VLAI
Details

IBM Automation Decision Services 23.0.2 allows web pages to be stored locally which can be read by another user on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31906"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-525"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-26T15:15:22Z",
    "severity": "MODERATE"
  },
  "details": "IBM Automation Decision Services 23.0.2 allows web pages to be stored locally which can be read by another user on the system.",
  "id": "GHSA-jxrx-2m3c-2g9f",
  "modified": "2025-01-26T15:30:49Z",
  "published": "2025-01-26T15:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31906"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7150662"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MHPG-HPJ5-73R2

Vulnerability from github – Published: 2025-11-18 18:32 – Updated: 2026-01-08 21:24
VLAI
Summary
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
Details

Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "10.4.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.5.0"
            },
            {
              "fixed": "10.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.2.0"
            },
            {
              "fixed": "11.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0"
            },
            {
              "fixed": "7.103"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-13083"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-525"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-18T21:56:20Z",
    "nvd_published_at": "2025-11-18T17:15:59Z",
    "severity": "LOW"
  },
  "details": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.",
  "id": "GHSA-mhpg-hpj5-73r2",
  "modified": "2026-01-08T21:24:14Z",
  "published": "2025-11-18T18:32:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13083"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/drupal/core"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-core-2025-008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels"
}

GHSA-PW59-4QGF-JXR8

Vulnerability from github – Published: 2021-06-18 22:04 – Updated: 2022-04-04 21:27
VLAI
Summary
Cache Manipulation Attack in Apache Traffic Control
Details

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/apache/trafficcontrol"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-17522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-525",
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-04T21:27:42Z",
    "nvd_published_at": "2021-01-26T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.",
  "id": "GHSA-pw59-4qgf-jxr8",
  "modified": "2022-04-04T21:27:42Z",
  "published": "2021-06-18T22:04:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17522"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/trafficcontrol/commit/492290d810e9608afb5d265b98cd3f3e153e776b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/trafficcontrol"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8@%3Ccommits.trafficcontrol.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3de212a3da73bcf98fa2db7eafb75b2eb8e131ff466e6efc4284df09%40%3Cdev.trafficcontrol.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf@%3Ccommits.trafficcontrol.apache.org%3E"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cache Manipulation Attack in Apache Traffic Control"
}

GHSA-PW85-34WF-P82J

Vulnerability from github – Published: 2025-10-10 12:30 – Updated: 2025-10-24 21:31
VLAI
Details

A vulnerability 

Cacheable SSL Page Found vulnerability has been identified

in HCL AION. 

Cached data may expose credentials, system identifiers, or internal file paths to attackers with access to the device or browser

This issue affects AION: 2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-525"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-10T11:15:42Z",
    "severity": "LOW"
  },
  "details": "A vulnerability\u00a0\n\nCacheable SSL Page Found vulnerability has been identified\n\n in HCL AION.\u00a0\n\nCached data may expose credentials, system identifiers, or internal file paths to attackers with access to the device or browser\n\nThis issue affects AION: 2.0.",
  "id": "GHSA-pw85-34wf-p82j",
  "modified": "2025-10-24T21:31:10Z",
  "published": "2025-10-10T12:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52625"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124444"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q52W-499F-86FQ

Vulnerability from github – Published: 2026-03-03 21:31 – Updated: 2026-03-03 21:31
VLAI
Details

IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36364"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-525"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-03T20:16:43Z",
    "severity": "MODERATE"
  },
  "details": "IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the system.",
  "id": "GHSA-q52w-499f-86fq",
  "modified": "2026-03-03T21:31:16Z",
  "published": "2026-03-03T21:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36364"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7261930"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R7P4-7JH5-PMJP

Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-05-14 15:32
VLAI
Details

IBM TXSeries for Multiplatforms 8.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 280190.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22343"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-525"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T14:57:44Z",
    "severity": "MODERATE"
  },
  "details": "IBM TXSeries for Multiplatforms 8.2 allows web pages to be stored locally which can be read by another user on the system.  IBM X-Force ID:  280190.",
  "id": "GHSA-r7p4-7jh5-pmjp",
  "modified": "2024-05-14T15:32:52Z",
  "published": "2024-05-14T15:32:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22343"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/280190"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7150667"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X59X-PG5J-HFH3

Vulnerability from github – Published: 2025-05-15 09:31 – Updated: 2025-05-15 09:31
VLAI
Details

Information Exposure vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27525"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-525"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-15T07:15:50Z",
    "severity": "LOW"
  },
  "details": "Information Exposure vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06.",
  "id": "GHSA-x59x-pg5j-hfh3",
  "modified": "2025-05-15T09:31:20Z",
  "published": "2025-05-15T09:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27525"
    },
    {
      "type": "WEB",
      "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-115/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XP2V-RF5W-RH2C

Vulnerability from github – Published: 2024-03-15 18:30 – Updated: 2024-03-15 18:30
VLAI
Details

IBM Sterling Secure Proxy 6.0.3 and 6.1.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 269686.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46181"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-525"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-15T16:15:07Z",
    "severity": "MODERATE"
  },
  "details": "IBM Sterling Secure Proxy 6.0.3 and 6.1.0 allows web pages to be stored locally which can be read by another user on the system.  IBM X-Force ID:  269686.",
  "id": "GHSA-xp2v-rf5w-rh2c",
  "modified": "2024-03-15T18:30:36Z",
  "published": "2024-03-15T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46181"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/269686"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7142038"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPJ8-V2G3-X4R2

Vulnerability from github – Published: 2026-06-02 15:32 – Updated: 2026-06-02 15:32
VLAI
Details

A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-525"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-02T14:16:53Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions \u003c V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser.",
  "id": "GHSA-xpj8-v2g3-x4r2",
  "modified": "2026-06-02T15:32:12Z",
  "published": "2026-06-02T15:32:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41918"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Protect information stored in cache.

Mitigation
Implementation

Use a restrictive caching policy for forms and web pages that potentially contain sensitive information, such as "no-cache" in the Cache-Control header.

Mitigation
Architecture and Design

Do not store unnecessarily sensitive information in the cache.

Mitigation
Architecture and Design

Consider using encryption in the cache.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.