An issue was discoverd in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks. Discovered by - Rivek Raj Tamang (RivuDon), Sikkim, India.# CVE-2025-65681
An issue was discoverd in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks. Discovered by - Rivek Raj Tamang (RivuDon), Sikkim, India.
**Affected Product: Overhang.IO**
* Affected Version: 20.0.2
* **Discovered by: Rivek Raj Tamang (RivuDon), Sikkim, India**
## Vulnerability Details
Information Disclosure
# Summary
The vulnerability allows unauthorized access to sensitive user information in Overhang.IO Tutor (tutor-open-edx) version 20.0.2 due to improper client-side session handling and missing cache-control headers. After logging out, user-specific PII remains accessible simply by pressing the browser’s back button, exposing sensitive account details without reauthentication. This flaw constitutes an Information Disclosure vulnerability and poses a risk to user privacy and session integrity.
## Steps to Reproduce
0. Have a valid account
1. Log in to the account
2. Go to account settings
4. Note the PII Information
5. Now simply click on logout and wait for the page to log out
6. Now click on the browser back button
Note the PII Being disclosed clearly without any proper cache control
# Acknowledgement
This vulnerability was discovered and responsibly reported by:
**Rivek Raj Tamang (RivuDon) from Sikkim, India**
https://www.linkedin.com/in/rivektamang/
https://rivudon.medium.com/
[4.0K] /data/pocs/f406f3ee7f880b379f7e3147389a891bd1dda0e7
└── [1.5K] README.md
1 directory, 1 file