Use of Cache Containing Sensitive Information in collectiveaccess/pawtucket2


Reported on

Oct 4th 2021


With ref to this report:, should replicate over proper cache-control

Proof of Concept

Example of sensitive
1) Login to application dashboard
2) Go to lightbox page
3) Click logout.
4) Click go back button to see group codes


Any user can view others lightbox if browser tab remains unclosed on a shared computer.


We have contacted a member of the collectiveaccess/pawtucket2 team and are waiting to hear back 2 years ago
haxatron modified the report
2 years ago
2 years ago



CollectiveAccess validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess marked this as fixed with commit be6d46 2 years ago
CollectiveAccess has been awarded the fix bounty
This vulnerability will not receive a CVE
index.php#L111 has been validated
to join this conversation