Hello @deptofdefense, when performing reconnaissance, I came across a presentation slide that displayed live data since the data is blocked out & is formatted with
XXX-XX with the last 4 digits.
The exposed data contains the following:
UPC, Division/Brigade, Rank, Soldier Name, Last 4 digits of SSN, FRR (Financial Record Reviews), PRR (Personal Record Reviews).
Here are a few exposed users: ████████, XXX-XX-█████████ ████████, XXX-XX-█████
The link that is hosting the Presentation Slide:
https://████████/wp-content/uploads/2017/12/Introduction-to-iPERMS-Slides.pptx & on Slide 25, there is the exposed data.
The remediation/mitigation for this security flaw is the removal of the data/file & I have set the severity to
Critical as it is exposing sensitive [PII] which could lead to a data breach.
The sensitive information can be used to authenticate through various web-portals especially with the last 4 digits & full name with rank.