Lucene search

K
hackeroneUn4giH1:904659
HistoryJun 22, 2020 - 5:21 a.m.

U.S. Dept Of Defense: PII Leak via /███████

2020-06-2205:21:41
un4gi
hackerone.com
6

Summary:
The ██████████ website allows access to PII of all site users via faulty access control to the /██████ endpoint.

Step-by-step Reproduction Instructions

  1. Browse to ████████ and login or create an account.
  2. Browse to ███████/████████. You will be able to access PII of all site users (click a username to view the PII).

Suggested Mitigation/Remediation Actions

Restrict access to the /██████████ module to only administrative users.

Impact

An adversary can gain access to PII of all ███████ users.