The UI Performs the Wrong Action in babybuddy/babybuddy

Valid

Reported on

Sep 15th 2021

Description

Violation of secure design principles

Proof of Concept

step 1: login to account and logout
step 2: click back button in browser
step 3:check rightt corner of there we can see user profile option 
step 4: click on that application settings is getting listed

PoC image attached as link

https://ibb.co/GMVH79B

Impact

This vulnerability is capable of leaking sensitive information in certain scenarios.

References

https://patchstack.com/security-design-principles-owasp/

We have contacted a member of the babybuddy team and are waiting to hear back 2 years ago

Christopher Charbonneau Wells validated this vulnerability 2 years ago

@0xAmal has been awarded the disclosure bounty

The fix bounty is now up for grabs

Christopher Charbonneau Wells marked this as fixed with commit 0e6a5c 2 years ago

Christopher Charbonneau Wells has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation