The UI Performs the Wrong Action in kcal-app/kcal

Valid

Reported on

Sep 27th 2021


Description

Sensitive Data can be exposed even after logouting the application due to ui wrong action

Proof of Concept

1) login to the application dashboard (http://demo.kcal.cooking/)
2)  Goto Any pages ( recipes,foods )
3) Click logout
4) Click browser back button

Application structure exposed  we can still search for foods

Impact

Any other user can view the data if browser tab remains unclosed after logouting. application must striclty redirect to login page even browser back button is pressed,

We have contacted a member of the kcal-app/kcal team and are waiting to hear back 2 months ago
Christopher Charbonneau Wells validated this vulnerability 2 months ago
0xdhinu has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christopher Charbonneau Wells confirmed that a fix has been merged on 419fcc 2 months ago
Christopher Charbonneau Wells has been awarded the fix bounty