The UI Performs the Wrong Action in collectiveaccess/providence


Reported on

Sep 27th 2021


Sensitive Data can be exposed even after logouting the application due to ui wrong action

Proof of Concept

1) login to the application dashboard ( )
2)  Goto Any pages ( dashboard,administrations etc )
3) Click logout
4) Click browser back button


Any other user can view the data if browser tab remains unclosed. application must striclty redirect to login page even browser back button is pressed,

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back 2 years ago
CollectiveAccess marked this as fixed with commit 84eb9d 2 years ago
CollectiveAccess has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation