Overhang.IO Tutor Information Disclosure Vulnerability
Vulnerability
A vulnerability in Overhang.IO Tutor (Open edX distribution) version 20.0.2 allows local unauthorized attackers to access sensitive information. This issue arises from inadequate cache-control HTTP headers and insufficient client-side session checks, enabling the retrieval of personal identifiable information (PII) even after logging out by simply using the browser's back button.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive user information, including personal identifiable information (PII), after a user has logged out.
Reproduction
To reproduce this vulnerability, log into an account on Overhang.IO Tutor version 20.0.2. Once logged in, navigate to the account settings and note the personal identifiable information (PII) displayed. After logging out, wait for the logout process to complete, then click the browser's back button. The previously accessed PII will be visible, indicating a failure in proper session management and cache control.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.