The UI Performs the Wrong Action in flarum/framework


Reported on

Sep 27th 2021


Sensitive Data can be exposed even after logouting the application due to ui wrong action

Proof of Concept

1) login to the application dashboard as admin (
2)  Goto Any pages ( dashboard,permissions etc )
3) Click logout
4) Click browser back button
5) Will Re-enters to application dashboard and can view and use diffrent options like permissions etc


Any other user can view the data if browser tab remains unclosed after logouting. application must striclty redirect to login page even browser back button is pressed and not allows the exposure of application structure ,

We have contacted a member of the flarum/framework team and are waiting to hear back a year ago
0xdhinu modified the report
a year ago
David Wheatley
a year ago

I think one of the key things about this is that no actions can be taken, despite having visual access to the admin UI.

Some people may consider this a vulnerability, but even large entities, like Google, do not believe that it is:

They actually state:

In order to access the cached pages, the attacker will need physical access to the targeted login session, or the ability to execute arbitrary code with the current user's privileges on the system.

I agree with them, personally, as, if an attacker has that level of access, they could realistically do far more damage (e.g. install a keylogger on the system, or steal a session token after they log back in), rendering purely visual access to the data trivial in comparison.

a year ago


Hi There is a simple fix for this issue using no-cache , no-store in response header will help to prevent this issue


Daniël Klabbers
a year ago

We are setting max-age=0 in our headers. Setting this value forces the cache to revalidate, see Question is whether we might also need no-store.

Looking at, I think this makes sense. I am going to Mark As Valid and ensure action is taken at least for the admin area.

Thanks for your disclosure.

Daniël Klabbers validated this vulnerability a year ago
0xdhinu has been awarded the disclosure bounty
The fix bounty is now up for grabs
Daniël Klabbers marked this as fixed with commit b4772e a year ago
Daniël Klabbers has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation