CWE-525
Use of Web Browser Cache Containing Sensitive Information
The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
CVE-2023-43035 (GCVE-0-2023-43035)
Vulnerability from cvelistv5
Published
2025-04-10 13:26
Modified
2025-08-17 00:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-525 - Information Exposure Through Browser Caching
Summary
IBM Sterling Control Center 6.2.1, 6.3.1, and 6.4.0 allows web pages to be stored locally which can be read by another user on the system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.ibm.com/support/pages/node/7230561 | vendor-advisory, patch |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Sterling Control Center |
Version: 6.2.1 Version: 6.3.1 Version: 6.4.0 cpe:2.3:a:ibm:control_center:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:control_center:6.3.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:control_center:6.4.0.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43035",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T14:13:32.527807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T14:13:41.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:control_center:6.2.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:control_center:6.3.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:control_center:6.4.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Sterling Control Center",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "6.2.1"
},
{
"status": "affected",
"version": "6.3.1"
},
{
"status": "affected",
"version": "6.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Sterling Control Center 6.2.1, 6.3.1, and 6.4.0 allows web pages to be stored locally which can be read by another user on the system."
}
],
"value": "IBM Sterling Control Center 6.2.1, 6.3.1, and 6.4.0 allows web pages to be stored locally which can be read by another user on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-525",
"description": "CWE-525 Information Exposure Through Browser Caching",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-17T00:05:25.920Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7230561"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Sterling Control Center information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-43035",
"datePublished": "2025-04-10T13:26:44.672Z",
"dateReserved": "2023-09-15T01:12:19.597Z",
"dateUpdated": "2025-08-17T00:05:25.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1334 (GCVE-0-2025-1334)
Vulnerability from cvelistv5
Published
2025-06-03 15:18
Modified
2025-08-24 11:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-525 - Information Exposure Through Browser Caching
Summary
IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 allows web pages to be stored locally which can be read by another user on the system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.ibm.com/support/pages/node/7235432 | vendor-advisory, patch |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | IBM | QRadar Suite Software |
Version: 1.10.12.0 ≤ 1.11.2.0 cpe:2.3:a:ibm:qradar_suite:1.10.12.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:qradar_suite:1.11.2.0:*:*:*:*:*:*:* |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-03T15:30:48.789875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T15:31:00.347Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:qradar_suite:1.10.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:qradar_suite:1.11.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "QRadar Suite Software",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.11.2.0",
"status": "affected",
"version": "1.10.12.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_security:1.10.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cloud Pak for Security",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.10.11.0",
"status": "affected",
"version": "1.10.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "John Zuccato, Rodney Ryan, Chris Shepherd, Vince Dragnea, Ben Goodspeed, Dawid Bak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 allows web pages to be stored locally which can be read by another user on the system."
}
],
"value": "IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 allows web pages to be stored locally which can be read by another user on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-525",
"description": "CWE-525 Information Exposure Through Browser Caching",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-24T11:59:40.522Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7235432"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM strongly encourages customers to update their systems promptly.\u003cbr\u003e\u003cbr\u003ePlease upgrade to at least version 1.11.3.0 according to the following instructions:\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/cloud-paks/cp-security/1.11?topic=installing\"\u003ehttps://www.ibm.com/docs/en/cloud-paks/cp-security/1.11?topic=installing\u003c/a\u003e\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/cloud-paks/cp-security/1.11?topic=upgrading\"\u003ehttps://www.ibm.com/docs/en/cloud-paks/cp-security/1.11?topic=upgrading\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "IBM strongly encourages customers to update their systems promptly.\n\nPlease upgrade to at least version 1.11.3.0 according to the following instructions:\n\n https://www.ibm.com/docs/en/cloud-paks/cp-security/1.11?topic=installing \n\n https://www.ibm.com/docs/en/cloud-paks/cp-security/1.11?topic=upgrading"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM QRadar Suite Software and IBM Cloud Pak for Security information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-1334",
"datePublished": "2025-06-03T15:18:40.596Z",
"dateReserved": "2025-02-15T14:16:41.665Z",
"dateUpdated": "2025-08-24T11:59:40.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1348 (GCVE-0-2025-1348)
Vulnerability from cvelistv5
Published
2025-06-18 16:19
Modified
2025-08-24 11:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-525 - Information Exposure Through Browser Caching
Summary
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.4 could allow a local user to obtain sensitive information from a user’s web browser cache due to not using a suitable caching policy.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.ibm.com/support/pages/node/7237068 | vendor-advisory, patch |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Sterling B2B Integrator |
Version: 6.0.0.0 ≤ 6.1.2.6 Version: 6.2.0.0 ≤ 6.2.0.4 cpe:2.3:a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_b2b_integrator:6.1.2.6:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_b2b_integrator:6.2.0.0:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_b2b_integrator:6.2.0.4:*:*:*:standard:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1348",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-18T18:25:33.803335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T18:26:07.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_b2b_integrator:6.1.2.6:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_b2b_integrator:6.2.0.0:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_b2b_integrator:6.2.0.4:*:*:*:standard:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Sterling B2B Integrator",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "6.1.2.6",
"status": "affected",
"version": "6.0.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.0.4",
"status": "affected",
"version": "6.2.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.4 could allow a local user to obtain sensitive information from a user\u2019s web browser cache due to not using a suitable caching policy."
}
],
"value": "IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.4 could allow a local user to obtain sensitive information from a user\u2019s web browser cache due to not using a suitable caching policy."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-525",
"description": "CWE-525 Information Exposure Through Browser Caching",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-24T11:50:32.968Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7237068"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 - 6.1.2.6 IT47515 Apply B2Bi 6.1.2.7. 6.2.0.5 or 6.2.1.0\u003cbr\u003eIBM Sterling B2B Integrator and IBM Sterling File Gateway 6.2.0.0 - 6.2.0.4 IT47515 Apply B2Bi 6.2.0.5 or 6.2.1.0\u003cbr\u003e \u003cbr\u003e\u003cbr\u003eThe IIM versions of 6.1.2.7, 6.2.0.5 and 6.2.1.0 are available on Fix Central. \u003cbr\u003e\u003cbr\u003eThe container version of 6.1.2.7, 6.2.0.5 and 6.2.1.0 are available in IBM Entitled Registry.\u003cbr\u003e"
}
],
"value": "IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 - 6.1.2.6 IT47515 Apply B2Bi 6.1.2.7. 6.2.0.5 or 6.2.1.0\nIBM Sterling B2B Integrator and IBM Sterling File Gateway 6.2.0.0 - 6.2.0.4 IT47515 Apply B2Bi 6.2.0.5 or 6.2.1.0\n \n\nThe IIM versions of 6.1.2.7, 6.2.0.5 and 6.2.1.0 are available on Fix Central. \n\nThe container version of 6.1.2.7, 6.2.0.5 and 6.2.1.0 are available in IBM Entitled Registry."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Sterling B2B Integrator and IBM Sterling File Gateway information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-1348",
"datePublished": "2025-06-18T16:19:48.515Z",
"dateReserved": "2025-02-15T15:14:05.404Z",
"dateUpdated": "2025-08-24T11:50:32.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Protect information stored in cache.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Use a restrictive caching policy for forms and web pages that potentially contain sensitive information.
Mitigation
Phase: Architecture and Design
Description:
- Do not store unnecessarily sensitive information in the cache.
Mitigation
Phase: Architecture and Design
Description:
- Consider using encryption in the cache.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.