The UI Performs the Wrong Action in kcal-app/kcal


Reported on

Sep 27th 2021


Sensitive Data can be exposed even after logouting the application due to ui wrong action

Proof of Concept

1) login to the application dashboard (
2)  Goto Any pages ( recipes,foods )
3) Click logout
4) Click browser back button

Application structure exposed  we can still search for foods


Any other user can view the data if browser tab remains unclosed after logouting. application must striclty redirect to login page even browser back button is pressed,

We have contacted a member of the kcal-app/kcal team and are waiting to hear back 2 years ago
Christopher Charbonneau Wells validated this vulnerability 2 years ago
0xdhinu has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christopher Charbonneau Wells marked this as fixed with commit 419fcc 2 years ago
Christopher Charbonneau Wells has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation