The UI Performs the Wrong Action in khodakhah/nodcms


Reported on

Sep 16th 2021


Violation of secure design principles

Proof of Concept

step 1: click on login page and login into account. 
step 2: we can see dashboard and further options inside the application
step 3: logout from application 
step 4: directly visit the url:
step 5: attacker can see the dashboard and other details.

attaching POC image


This vulnerability is capable of leaking sensitive information in certain scenarios.

We have contacted a member of the khodakhah/nodcms team and are waiting to hear back a year ago
khodakhah validated this vulnerability a year ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
a year ago


@admin this reward and report is not reflected in account please have a look

khodakhah confirmed that a fix has been merged on af53ec a year ago
The fix bounty has been dropped
to join this conversation