Impact

Admin pages are cached, so that their content is visible after deconnection by using the browser back button.

Also, they can be embedded in iframe.

Patches

Fixed in 2.7.2 and 3.0.0

Credits

Many thanks to Cyblex Technologies (Clément Speybrouck, Antoine Vacher) for this report !

References

Combodo ref N°3317

For more information

If you have any questions or comments about this advisory:
Email us at itop-security@combodo.com