We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

/

The UI Performs the Wrong Action in khodakhah/nodcms

Valid

Reported on

Sep 16th 2021

Description

Violation of secure design principles

Proof of Concept

step 1: click on login page and login into account. 
step 2: we can see dashboard and further options inside the application
step 3: logout from application 
step 4: directly visit the url: https://demo.nodcms.com/admin/
step 5: attacker can see the dashboard and other details.

attaching POC image

https://ibb.co/TwZsfx4

Impact

This vulnerability is capable of leaking sensitive information in certain scenarios.

References

https://patchstack.com/security-design-principles-owasp/

We have contacted a member of the khodakhah/nodcms team and are waiting to hear back 2 years ago

khodakhah validated this vulnerability 2 years ago

@0xAmal has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented 2 years ago

Researcher

@admin this reward and report is not reflected in account please have a look

khodakhah marked this as fixed with commit af53ec 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the khodakhah/nodcms team and are waiting to hear back 2 years ago

khodakhah validated this vulnerability 2 years ago

@0xAmal has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented 2 years ago

Researcher

@admin this reward and report is not reflected in account please have a look

khodakhah marked this as fixed with commit af53ec 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation