{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13478", "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "state": "PUBLISHED", "assignerShortName": "OpenText", "dateReserved": "2025-11-20T13:59:14.354Z", "datePublished": "2026-03-27T13:43:34.258Z", "dateUpdated": "2026-03-27T13:53:41.403Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "OpenText", "dateUpdated": "2026-03-27T13:43:34.258Z"}, "title": "Cache Misconfiguration Leading to Cross-User Data Exposure", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-102", "descriptions": [{"lang": "en", "value": "CAPEC-102 Session Sidejacking"}]}], "affected": [{"vendor": "OpenText", "product": "Identity Manager", "platforms": ["Windows", "Linux"], "versions": [{"status": "affected", "version": "25.2(v4.10.1)"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Cache misconfiguration vulnerability in OpenText Identity Manager on Windows, Linux allows remote authenticated users to obtain another user's session data via insecure application cache handling. This issue affects Identity Manager: 25.2(v4.10.1).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Cache misconfiguration vulnerability in OpenText Identity Manager on Windows, Linux allows remote authenticated users to obtain another user's session data via insecure application cache handling.<p>This issue affects Identity Manager: 25.2(v4.10.1).</p>"}]}], "references": [{"url": "https://docs.microfocus.com/doc/2159/25.2/cvesecurityfix"}, {"tags": ["release-notes"], "url": "https://docs.microfocus.com/doc/2159/25.2/releasenotesidentitymanager4101patch01"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N"}}], "credits": [{"lang": "en", "value": "TH K\u00f6ln", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:53:25.686345Z", "id": "CVE-2025-13478", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:53:41.403Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13478", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:53:25.686345Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:53:36.303Z"}}], "cna": {"title": "Cache Misconfiguration Leading to Cross-User Data Exposure", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "TH K\u00f6ln"}], "impacts": [{"capecId": "CAPEC-102", "descriptions": [{"lang": "en", "value": "CAPEC-102 Session Sidejacking"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenText", "product": "Identity Manager", "versions": [{"status": "affected", "version": "25.2(v4.10.1)"}], "platforms": ["Windows", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.microfocus.com/doc/2159/25.2/cvesecurityfix"}, {"url": "https://docs.microfocus.com/doc/2159/25.2/releasenotesidentitymanager4101patch01", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Cache misconfiguration vulnerability in OpenText Identity Manager on Windows, Linux allows remote authenticated users to obtain another user's session data via insecure application cache handling. This issue affects Identity Manager: 25.2(v4.10.1).", "supportingMedia": [{"type": "text/html", "value": "Cache misconfiguration vulnerability in OpenText Identity Manager on Windows, Linux allows remote authenticated users to obtain another user's session data via insecure application cache handling.<p>This issue affects Identity Manager: 25.2(v4.10.1).</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "OpenText", "dateUpdated": "2026-03-27T13:43:34.258Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13478", "state": "PUBLISHED", "dateUpdated": "2026-03-27T13:53:41.403Z", "dateReserved": "2025-11-20T13:59:14.354Z", "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "datePublished": "2026-03-27T13:43:34.258Z", "assignerShortName": "OpenText"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cache misconfiguration vulnerability in OpenText Identity Manager on Windows, Linux allows remote authenticated users to obtain another user's session data via insecure application cache handling. This issue affects Identity Manager: 25.2(v4.10.1)."}], "id": "CVE-2025-13478", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@opentext.com", "type": "Secondary"}]}, "published": "2026-03-27T14:16:07.450", "references": [{"source": "security@opentext.com", "url": "https://docs.microfocus.com/doc/2159/25.2/cvesecurityfix"}, {"source": "security@opentext.com", "url": "https://docs.microfocus.com/doc/2159/25.2/releasenotesidentitymanager4101patch01"}], "sourceIdentifier": "security@opentext.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "security@opentext.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["Windows", "Linux"], "status": "affected", "versions": {"scheme": "generic", "value": "25.2(v4.10.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "identity_manager", "vendor": "opentext"}], "analysis": {"en": {"generated_at": "2026-03-27T15:58:26.923445+00:00", "value": {"mitigation_remediation": ["Apply the security patch or upgrade OpenText Identity Manager to version 25.2 v4.10.1 or later as detailed in Micro Focus documentation.", "Verify that the application cache directory has appropriate file permissions so that only the owning process can read the files.", "After patching and reconfiguration, test that session data is no longer accessible to other users."], "summary": {"action": "Immediate Patch", "impact": "Cross-User Session Data Exposure"}, "threat_synthesis": {"affected_systems": "The flaw exists in OpenText Identity Manager 25.2 (v4.10.1) running on Windows or Linux platforms. This version can be obtained from Micro Focus\u2019s product release channels. Only the mentioned version is confirmed affected; earlier releases are not listed as vulnerable.", "description_and_impact": "A misconfigured cache in OpenText Identity Manager allows a remote authenticated user to read any other user's session data stored in the application cache. The vulnerability is a result of insecure handling of cache files, giving attackers access to confidential session information. The impact is a breach of confidentiality and potential escalation of privileges by a compromised user.", "risk_and_exploitability": "The CVSS Base Score of 8.4 classifies this flaw as High severity, and although its EPSS score is not available, the attack only requires the attacker to be an authenticated user of the application. The vulnerability is not currently listed in CISA\u2019s KEV catalog, but because it allows cross-user data leakage, it represents a significant risk for organizations that rely on isolated user sessions. Exploitation requires no special network access beyond normal authentication and can be performed by any legitimate user who logs into the affected system. Review of the publicly available references indicates that Micro Focus has released a patch to address the issue, making patching an effective mitigation."}}}}, "created": "2026-03-27T20:28:52.676239+00:00", "updated": "2026-03-30T07:59:41.291164+00:00", "vendors": ["opentext", "opentext$PRODUCT$identity_manager"]}