CVE-2025-71280

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-71280
XenForo before 2.3.7 allows information disclosure via local account page caching on shared systems. On systems where multiple users share a browser or machine, cached account pages could expose sensitive user information to other local users.

6.2 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.vulncheck.com/advisories/xenforo-local-account-page-caching-information-disclosure Third Party Advisory
https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/ Release Notes
Configurations

Configuration 1 (hide)

cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*
History

01 Apr 2026, 18:52

Type Values Removed Values Added
First Time Xenforo
Xenforo xenforo
Summary
  • (es) XenForo anterior a 2.3.7 permite la revelación de información a través del almacenamiento en caché de páginas de cuentas locales en sistemas compartidos. En sistemas donde múltiples usuarios comparten un navegador o una máquina, las páginas de cuentas almacenadas en caché podrían exponer información sensible del usuario a otros usuarios locales.
References () https://www.vulncheck.com/advisories/xenforo-local-account-page-caching-information-disclosure - () https://www.vulncheck.com/advisories/xenforo-local-account-page-caching-information-disclosure - Third Party Advisory
References () https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/ - () https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/ - Release Notes
CPE cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*

01 Apr 2026, 01:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-04-01 01:16

Updated : 2026-04-01 18:52

NVD link : CVE-2025-71280

Mitre link : CVE-2025-71280

CVE.ORG link : CVE-2025-71280

JSON object : View

Products Affected

xenforo

  • xenforo
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor