Lucene search
Nehalr777E9309018-E94F-4E15-B7D1-5D38B6021C5DHistorySep 22, 2022 - 6:09 p.m.
Improper Cache control allows attacker to view sensitive data
2022-09-2218:09:15
nehalr777
www.huntr.dev
12
impropercachecontrol
sensitivedataaccess
accountsecurity
attackmitigation
browserbackbuttonsecurity
EPSS
0.001
Percentile
31.5%
Description
Due to improper cache control an attacker can view sensitive information even if he is not logged into the account
Proof of Concept
- Go to https://rdiffweb-demo.ikus-soft.com/login/ and login into your account using given credentials
- Go to https://rdiffweb-demo.ikus-soft.com/admin/logs and this endpoint has the entire log
- Click on Logout
- Now press the back button of your browser
- You will notice that you are still able to view the sensitive data/log files
Mitigation:
Cache-Control: private, no-cache, no-store, max-age=0
Pragma: no-cache
Expires: 0
References
Related
osv
osv
PYSEC-2022-296
2022-09-28 21:15:00
CVE-2022-3292
2022-09-28 21:15:14
rdiffweb vulnerable to Use of Cache Containing Sensitive Information
2022-09-29 00:00:19
github
github
rdiffweb vulnerable to Use of Cache Containing Sensitive Information
2022-09-29 00:00:19
cve
cve
CVE-2022-3292
2022-09-28 21:15:14
prion
prion
Design/Logic Flaw
2022-09-28 21:15:00
cnvd
cnvd
Rdiffweb Information Disclosure Vulnerability
2022-09-30 00:00:00
veracode
veracode
Information Disclosure
2022-09-29 08:28:27
cvelist
cvelist
nvd
nvd
CVE-2022-3292
2022-09-28 21:15:14