CVE-2025-36082 in OpenPagesinfo

Summary

by MITRE • 09/15/2025

IBM OpenPages 9.0 and 9.1 allows web page cache to be stored locally which can be read by another user on the system.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 09/24/2025

IBM OpenPages version 9.0 and 9.1 contains a critical web application vulnerability that enables improper cache management resulting in cross-user data exposure. This vulnerability stems from the application's failure to implement proper cache isolation mechanisms between concurrent user sessions. The flaw allows web page cache content to be stored locally on the system in a manner that permits unauthorized access by subsequent users who may share the same system resources. This represents a significant security weakness that directly violates fundamental principles of application isolation and user confidentiality.

The technical implementation of this vulnerability occurs at the web application layer where cached content is not adequately secured or isolated between different user sessions. When multiple users access the same OpenPages instance, the application fails to ensure that cached data remains exclusively associated with the original user's session. This misconfiguration creates a scenario where session-specific information, potentially including sensitive business data, authentication tokens, or personalized content, can be accessed by other individuals who subsequently use the same system. The vulnerability operates through the browser's local storage mechanisms or server-side cache management that lacks proper user context validation.

The operational impact of this vulnerability extends beyond simple data exposure to encompass potential business disruption and regulatory compliance violations. Organizations utilizing IBM OpenPages for governance, risk management, or compliance reporting may experience unauthorized access to confidential information, potentially including sensitive business data, regulatory filings, or strategic planning documents. This cross-user cache access could enable attackers to perform privilege escalation, conduct data theft, or manipulate business processes through access to cached administrative functions. The vulnerability particularly affects multi-user environments where shared computing resources are common, increasing the attack surface and potential impact.

Security mitigation strategies should focus on implementing robust cache isolation controls and proper session management practices. Organizations should immediately apply the vendor-provided security patches or updates that address the cache management implementation. System administrators must configure the application to enforce strict cache separation between user sessions, ensuring that cached content is properly scoped to individual user contexts. Network segmentation and access controls should be implemented to limit exposure, while monitoring systems should be enhanced to detect unauthorized access patterns. The vulnerability aligns with CWE-200 (Information Exposure) and represents a specific implementation weakness that could be categorized under ATT&CK technique T1531 (Account Access Removal) when exploited for unauthorized data access. Regular security assessments and penetration testing should be conducted to verify proper cache isolation mechanisms are functioning correctly.

Responsible

Ibm

Reservation

04/15/2025

Disclosure

09/15/2025

Moderation

accepted

CPE

ready

EPSS

0.00120

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!