Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneUn4giH1:904659
HistoryJun 22, 2020 - 5:21 a.m.

U.S. Dept Of Defense: PII Leak via /███████

2020-06-2205:21:41
un4gi
hackerone.com
7
JSON

Summary:
The ██████████ website allows access to PII of all site users via faulty access control to the /██████ endpoint.

Step-by-step Reproduction Instructions

  1. Browse to ████████ and login or create an account.
  2. Browse to ███████/████████. You will be able to access PII of all site users (click a username to view the PII).

Suggested Mitigation/Remediation Actions

Restrict access to the /██████████ module to only administrative users.

Impact

An adversary can gain access to PII of all ███████ users.

JSON