We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Use of Cache Containing Sensitive Information in collectiveaccess/pawtucket2

Valid

Reported on

Oct 4th 2021

Description

With ref to this report: https://www.huntr.dev/bounties/9708c444-2cf2-4aed-8188-1dc7def05ba1/, should replicate over proper cache-control

Proof of Concept

Example of sensitive
1) Login to application dashboard
2) Go to lightbox page
3) Click logout.
4) Click go back button to see group codes

Impact

Any user can view others lightbox if browser tab remains unclosed on a shared computer.

Occurrences

We have contacted a member of the collectiveaccess/pawtucket2 team and are waiting to hear back 2 years ago
haxatron modified the report
2 years ago
CollectiveAccess
2 years ago

Maintainer

Thanks.

CollectiveAccess validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess marked this as fixed with commit be6d46 2 years ago
CollectiveAccess has been awarded the fix bounty
This vulnerability will not receive a CVE
index.php#L111 has been validated
to join this conversation