Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
XenForo before 2.3.7 allows information disclosure via local account page caching on shared systems. On systems where multiple users share a browser or machine, cached account pages could expose sensitive user information to other local users.
AnalysisAI
XenForo before version 2.3.7 exposes sensitive user account information through improper browser caching of account pages on shared systems. Local users with access to a shared machine or browser can retrieve cached account data belonging to other users who previously accessed XenForo, enabling unauthorized information disclosure without authentication. No public exploit code or active exploitation has been identified; remediation requires upgrading to XenForo 2.3.7 or later.
Technical ContextAI
This vulnerability stems from inadequate cache control headers on account pages served by XenForo (CWE-200: Information Exposure). When multiple users share a single browser or computer, HTTP caching mechanisms retain sensitive account page responses in local browser caches or system-level cache storage. XenForo's account pages-which contain personal user data, settings, and potentially authentication tokens-were not properly marked with cache-control directives (such as no-store, no-cache, or private with appropriate max-age values) to prevent local storage on multi-user systems. The affected product is XenForo, a PHP-based forum and community platform, where all versions before 2.3.7 lack proper cache isolation for account-related endpoints.
RemediationAI
Upgrade XenForo to version 2.3.7 or later immediately. This version includes fixes for the account page caching vulnerability that add proper cache-control headers and potentially other cache handling improvements to prevent sensitive data leakage on shared systems. Administrators should review the full release notes at https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/ for any additional configuration or post-upgrade steps. As an interim mitigation on systems where multiple users share browser access, ensure that shared computers have browser cache clearing enabled at shutdown, or instruct users to manually clear browser cache and temporary files after each session.
Authentication bypass in XenForo versions prior to 2.3.7 compromises passkey-based authentication, allowing remote unaut
Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through
OAuth2 scope enforcement vulnerability in XenForo 2.3.x (prior to 2.3.5) allows authenticated client applications to req
XenForo forum software versions prior to 2.3.7 disclose server filesystem paths through exception messages triggered by
Remote code execution in XenForo versions prior to 2.3.9 and 2.2.18 allows authenticated administrators to execute arbit
Stored cross-site scripting (XSS) in XenForo before 2.3.10 and 2.2.19 allows authenticated attackers to inject malicious
Cross-site scripting (XSS) in XenForo lightbox functionality allows unauthenticated remote attackers to inject malicious
Stored cross-site scripting in XenForo before version 2.3.9 allows authenticated users to inject malicious scripts throu
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209154
GHSA-mvm5-rv5r-322q