CWE-525
AllowedUse of Web Browser Cache Containing Sensitive Information
Abstraction: Variant · Status: Incomplete
The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
60 vulnerabilities reference this CWE, most recent first.
GHSA-JVQQ-64W2-QQ2F
Vulnerability from github – Published: 2024-06-29 06:31 – Updated: 2024-06-29 06:31IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Software Suite 1.10.12.0 through 1.10.21.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 233673.
{
"affected": [],
"aliases": [
"CVE-2022-38383"
],
"database_specific": {
"cwe_ids": [
"CWE-525"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-28T19:15:03Z",
"severity": "MODERATE"
},
"details": "IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Software Suite 1.10.12.0 through 1.10.21.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 233673.",
"id": "GHSA-jvqq-64w2-qq2f",
"modified": "2024-06-29T06:31:39Z",
"published": "2024-06-29T06:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38383"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/233673"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7158986"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JXRX-2M3C-2G9F
Vulnerability from github – Published: 2025-01-26 15:30 – Updated: 2025-01-26 15:30IBM Automation Decision Services 23.0.2 allows web pages to be stored locally which can be read by another user on the system.
{
"affected": [],
"aliases": [
"CVE-2024-31906"
],
"database_specific": {
"cwe_ids": [
"CWE-525"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-26T15:15:22Z",
"severity": "MODERATE"
},
"details": "IBM Automation Decision Services 23.0.2 allows web pages to be stored locally which can be read by another user on the system.",
"id": "GHSA-jxrx-2m3c-2g9f",
"modified": "2025-01-26T15:30:49Z",
"published": "2025-01-26T15:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31906"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7150662"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MHPG-HPJ5-73R2
Vulnerability from github – Published: 2025-11-18 18:32 – Updated: 2026-01-08 21:24Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "10.4.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "10.5.0"
},
{
"fixed": "10.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.1.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "11.2.0"
},
{
"fixed": "11.2.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "7.0"
},
{
"fixed": "7.103"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-13083"
],
"database_specific": {
"cwe_ids": [
"CWE-525"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-18T21:56:20Z",
"nvd_published_at": "2025-11-18T17:15:59Z",
"severity": "LOW"
},
"details": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.",
"id": "GHSA-mhpg-hpj5-73r2",
"modified": "2026-01-08T21:24:14Z",
"published": "2025-11-18T18:32:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13083"
},
{
"type": "PACKAGE",
"url": "https://github.com/drupal/core"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2025-008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels"
}
GHSA-PW59-4QGF-JXR8
Vulnerability from github – Published: 2021-06-18 22:04 – Updated: 2022-04-04 21:27When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/apache/trafficcontrol"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-17522"
],
"database_specific": {
"cwe_ids": [
"CWE-525",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-04T21:27:42Z",
"nvd_published_at": "2021-01-26T18:15:00Z",
"severity": "MODERATE"
},
"details": "When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.",
"id": "GHSA-pw59-4qgf-jxr8",
"modified": "2022-04-04T21:27:42Z",
"published": "2021-06-18T22:04:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17522"
},
{
"type": "WEB",
"url": "https://github.com/apache/trafficcontrol/commit/492290d810e9608afb5d265b98cd3f3e153e776b"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/trafficcontrol"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8@%3Ccommits.trafficcontrol.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3de212a3da73bcf98fa2db7eafb75b2eb8e131ff466e6efc4284df09%40%3Cdev.trafficcontrol.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf@%3Ccommits.trafficcontrol.apache.org%3E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Cache Manipulation Attack in Apache Traffic Control"
}
GHSA-PW85-34WF-P82J
Vulnerability from github – Published: 2025-10-10 12:30 – Updated: 2025-10-24 21:31A vulnerability
Cacheable SSL Page Found vulnerability has been identified
in HCL AION.
Cached data may expose credentials, system identifiers, or internal file paths to attackers with access to the device or browser
This issue affects AION: 2.0.
{
"affected": [],
"aliases": [
"CVE-2025-52625"
],
"database_specific": {
"cwe_ids": [
"CWE-525"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-10T11:15:42Z",
"severity": "LOW"
},
"details": "A vulnerability\u00a0\n\nCacheable SSL Page Found vulnerability has been identified\n\n in HCL AION.\u00a0\n\nCached data may expose credentials, system identifiers, or internal file paths to attackers with access to the device or browser\n\nThis issue affects AION: 2.0.",
"id": "GHSA-pw85-34wf-p82j",
"modified": "2025-10-24T21:31:10Z",
"published": "2025-10-10T12:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52625"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124444"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q52W-499F-86FQ
Vulnerability from github – Published: 2026-03-03 21:31 – Updated: 2026-03-03 21:31IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the system.
{
"affected": [],
"aliases": [
"CVE-2025-36364"
],
"database_specific": {
"cwe_ids": [
"CWE-525"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-03T20:16:43Z",
"severity": "MODERATE"
},
"details": "IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the system.",
"id": "GHSA-q52w-499f-86fq",
"modified": "2026-03-03T21:31:16Z",
"published": "2026-03-03T21:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36364"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7261930"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R7P4-7JH5-PMJP
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-05-14 15:32IBM TXSeries for Multiplatforms 8.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 280190.
{
"affected": [],
"aliases": [
"CVE-2024-22343"
],
"database_specific": {
"cwe_ids": [
"CWE-525"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T14:57:44Z",
"severity": "MODERATE"
},
"details": "IBM TXSeries for Multiplatforms 8.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 280190.",
"id": "GHSA-r7p4-7jh5-pmjp",
"modified": "2024-05-14T15:32:52Z",
"published": "2024-05-14T15:32:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22343"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/280190"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7150667"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X59X-PG5J-HFH3
Vulnerability from github – Published: 2025-05-15 09:31 – Updated: 2025-05-15 09:31Information Exposure vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06.
{
"affected": [],
"aliases": [
"CVE-2025-27525"
],
"database_specific": {
"cwe_ids": [
"CWE-525"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-15T07:15:50Z",
"severity": "LOW"
},
"details": "Information Exposure vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06.",
"id": "GHSA-x59x-pg5j-hfh3",
"modified": "2025-05-15T09:31:20Z",
"published": "2025-05-15T09:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27525"
},
{
"type": "WEB",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-115/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XP2V-RF5W-RH2C
Vulnerability from github – Published: 2024-03-15 18:30 – Updated: 2024-03-15 18:30IBM Sterling Secure Proxy 6.0.3 and 6.1.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 269686.
{
"affected": [],
"aliases": [
"CVE-2023-46181"
],
"database_specific": {
"cwe_ids": [
"CWE-525"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-15T16:15:07Z",
"severity": "MODERATE"
},
"details": "IBM Sterling Secure Proxy 6.0.3 and 6.1.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 269686.",
"id": "GHSA-xp2v-rf5w-rh2c",
"modified": "2024-03-15T18:30:36Z",
"published": "2024-03-15T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46181"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/269686"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7142038"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XPJ8-V2G3-X4R2
Vulnerability from github – Published: 2026-06-02 15:32 – Updated: 2026-06-02 15:32A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser.
{
"affected": [],
"aliases": [
"CVE-2026-41918"
],
"database_specific": {
"cwe_ids": [
"CWE-525"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-02T14:16:53Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions \u003c V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser.",
"id": "GHSA-xpj8-v2g3-x4r2",
"modified": "2026-06-02T15:32:12Z",
"published": "2026-06-02T15:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41918"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Protect information stored in cache.
Mitigation
Use a restrictive caching policy for forms and web pages that potentially contain sensitive information, such as "no-cache" in the Cache-Control header.
Mitigation
Do not store unnecessarily sensitive information in the cache.
Mitigation
Consider using encryption in the cache.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.