The UI Performs the Wrong Action in robotichead/nearbeach

Valid

Reported on

Oct 16th 2021

Description

Sensitive data on the application can be exposed after the user logout

Proof of Concept

1 Login to the application ( https://demo.nearbeach.app/ )

2 Goto page like My Account , or Any other page

3 Click logout

4 Click browser back button

Impact

When a user logs out without closing the browser someone can view the information inside by clicking the back button on the browser.

Occurrences

not sure about exact file and line of occurrence

Add this code resolve this issue

addHeader("Cache-Control", "no-cache, no-store, must-revalidate");

We have contacted a member of the robotichead/nearbeach team and are waiting to hear back 2 years ago
robotichead validated this vulnerability 2 years ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
robotichead
2 years ago

Maintainer

Hello,

We have tried to re-replicate this issue however can not anymore. Can you please confirm that you can not re-replicate this issue.

Thank you

Regards Robotichead

Asura-N
2 years ago

Researcher

Issue is fixed

Thank you Regards Asura-n

robotichead marked this as fixed with commit 157f7c 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
settings.py#L9 has been validated
to join this conversation