CVE-2025-13478

| EUVD-2025-209094 HIGH
2026-03-27 OpenText GHSA-97p3-hw8f-r547
8.4
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 27, 2026 - 14:00 vuln.today
EUVD ID Assigned
Mar 27, 2026 - 14:00 euvd
EUVD-2025-209094
CVE Published
Mar 27, 2026 - 13:43 nvd
HIGH 8.4

Tags

Information Disclosure Microsoft

Description

Cache misconfiguration vulnerability in OpenText Identity Manager on Windows, Linux allows remote authenticated users to obtain another user's session data via insecure application cache handling. This issue affects Identity Manager: 25.2(v4.10.1).

Analysis

OpenText Identity Manager versions up to 25.2 (v4.10.1) suffer from insecure cache handling that permits remote authenticated users to retrieve another user's session data, resulting in unauthorized information disclosure. An attacker with valid credentials can exploit this cache misconfiguration on both Windows and Linux deployments to access sensitive session information belonging to other authenticated users, compromising confidentiality of user sessions and potentially enabling lateral movement or privilege escalation attacks.

Technical Context

This vulnerability stems from improper cache configuration in OpenText Identity Manager (CPE: cpe:2.3:a:opentext:identity_manager), classified under CWE-522 (Insufficiently Protected Credentials). The root cause involves the application's caching mechanism failing to properly isolate or encrypt session data, allowing authenticated attackers to retrieve cached credentials or session tokens belonging to other users. This affects the Identity Manager authentication and session management subsystem across both Windows and Linux platforms, indicating a platform-agnostic logic flaw rather than OS-specific weakness.

Affected Products

OpenText Identity Manager version 25.2, specifically build v4.10.1 and earlier releases within the 25.2 branch, are affected on both Windows and Linux platforms as identified by the vendor-supplied CPE cpe:2.3:a:opentext:identity_manager. Customers deploying Identity Manager 4.10.1 or prior within the 25.2 release line are in scope. Further details and security guidance are provided in the vendor documentation at https://docs.microfocus.com/doc/2159/25.2/cvesecurityfix and release notes at https://docs.microfocus.com/doc/2159/25.2/releasenotesidentitymanager4101patch01.

Remediation

Upgrade OpenText Identity Manager to version 4.10.1 Patch 01 or later as documented in the vendor release notes (https://docs.microfocus.com/doc/2159/25.2/releasenotesidentitymanager4101patch01). Until patching is completed, apply the following interim controls: (1) restrict network access to Identity Manager endpoints using firewall rules and VPN/bastion host requirements to limit authenticated user population; (2) implement cache invalidation policies and clear application cache regularly; (3) monitor authentication logs and session management audit trails for anomalous cross-user session access patterns; (4) enforce strong session timeout policies to reduce the window of exposure for cached credentials.

Priority Score

42
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +42
POC: 0

Share

CVE-2025-13478 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy