CVE-2025-36082
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-09-24
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | openpages | From 9.0.0 (inc) to 9.0.0.5 (exc) |
| ibm | openpages | 9.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-525 | The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in IBM OpenPages versions 9.0 and 9.1 involves the web page cache being stored locally using the HTTP caching directive 'Cache-Control: max-age=0' instead of the more secure 'Cache-Control: no-store'. Although 'max-age=0' marks content as stale, it still allows temporary storage in browsers or intermediary caches. This can lead to sensitive information being accessible to other users on the same system, representing a local information disclosure risk. [1]
How can this vulnerability impact me? :
The vulnerability can allow another user on the same system to read sensitive information cached locally by the web browser or intermediary caches. This local access could lead to unauthorized disclosure of sensitive data, although the impact on confidentiality is considered low and there is no impact on integrity or availability. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should promptly apply the available fixes from IBM. Specifically, upgrade IBM OpenPages to version 9.1.1 or apply FixPack 5 and Interim Fix 5 for version 9.0. These updates change the HTTP caching directive from 'Cache-Control: max-age=0' to 'Cache-Control: no-store', preventing sensitive data from being cached locally. No other workarounds or mitigations are provided. [1]