Use of Cache Containing Sensitive Information in collectiveaccess/pawtucket2


Reported on

Oct 4th 2021


With ref to this report:, should replicate over proper cache-control

Proof of Concept

Example of sensitive
1) Login to application dashboard
2) Go to lightbox page
3) Click logout.
4) Click go back button to see group codes


Any user can view others lightbox if browser tab remains unclosed on a shared computer.


We have contacted a member of the collectiveaccess/pawtucket2 team and are waiting to hear back a year ago
haxatron modified the report
a year ago
a year ago



CollectiveAccess validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess confirmed that a fix has been merged on be6d46 a year ago
CollectiveAccess has been awarded the fix bounty
index.php#L111 has been validated
to join this conversation