20 matches found
CVE-2026-54104
The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS trusts client-provided values for the 'epdsroleid' parameter without verification, allowing a remote, authenticated attacker to escala...
CVE-2026-54106
The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network...
CVE-2026-54106
The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network...
CVE-2026-54106 U.S. GAO EPDS and CBCA EDS network access control bypass
The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network...
CVE-2026-54105
The CVE concerns CVE-2026-54105 affecting the GAO EPDS and CBCA EDS systems. The vulnerability arises from the update-profile/ API endpoint, where a remote, unauthenticated attacker can supply an arbitrary user_id and receive a JSON response containing account-specific information, including the ...
EUVD-2026-37911
The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS trusts client-provided values for the 'epdsroleid' parameter without verification, allowing a remote, authenticated attacker to escala...
CVE-2026-54104 U.S. GAO EPDS and CBCA EDS client-based privilege escalation
The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS trusts client-provided values for the 'epdsroleid' parameter without verification, allowing a remote, authenticated attacker to escala...
CVE-2026-54103
The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could chang...
EUVD-2026-37910
The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could chang...
CVE-2026-54103 U.S. GAO EPDS and CBCA EDS unauthenticated password change
The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could chang...
CVE-2026-54103
CVE-2026-54103 affects GAO EPDS and CBCA EDS, where the /update-profile/N endpoint does not require authentication for password changes. The vulnerability allows a remote attacker to change an arbitrary user’s password without credentials. This result is supported by the CVSS data indicating high...
PT-2026-50706
Name of the Vulnerable Software and Affected Versions U.S. GAO Electronic Protest Docketing System EPDS affected versions not specified U.S. CBCA Electronic Docketing System EDS affected versions not specified Description The U.S. Government Accountability Office GAO Electronic Protest Docketing...
U.S. Weapons Programs Lack 'Key' Cybersecurity Measures
Weapons programs from the U.S. Department of Defense DoD are falling short when it comes to incorporating cybersecurity requirements, according to a new watchdog report. While the DoD has developed a range of policies aimed at hardening the security for its weapon systems, the guidance leaves out...
Pentagon Expands Bug-Bounty Program to Include Physical Systems
The Department of Defense is expanding its “Hack the Pentagon” bug-bounty program to include hardware assets, tapping the Synack, HackerOne and Bugcrowd platforms to attract more white hats to the effort. The news comes two weeks after the Government Accountability Office GAO released a report...
Security Vulnerabilities in US Weapons Systems
The US Government Accounting Office just published a new report: "Weapons Systems Cyber Security: DOD Just Beginning to Grapple with Scale of Vulnerabilities" summary here. The upshot won't be a surprise to any of my regular readers: they're vulnerable. From the summary: Automation and connectivi...
Massachusetts Hospital Agrees to Pay $1.5m After Stolen Laptop HIPAA Violation
Massachusetts Eye and Ear Infirmary, a Boston-based hospital, agreed to pay $1.5 million to the U.S. Department of Health and Human Services HSS earlier this week, settling a HIPAA violation stemming from a 2010 incident. The agreement acknowledges that the hospital failed to comply with...
GAO Calls out the FDIC
It’s not always malicious hackers and purported state actors that expose weaknesses in government systems. Sometime it’s other government agencies as well. This was the case when federal watchdog, the Government Accountability Office, audited and subsequently called out the Federal Deposit...
Insulin Pump Hack Garners Federal Attention
The hack of a commercially available insulin pump earlier this month at the DEFCON hacker conference has attracted the attention of members of the House Energy & Commerce Committee, which is now calling for a formal review of wireless medical devices like the pump. Senior Committee members Anna G...
GAO: The DoD's Plan To Unify Cyber Defenses Looks Like Swiss Cheese
A new report out from the Government Accountability Office GAO warns that the U.S. Department of Defense’s efforts to unify its cyber security operations has serious gaps and that the Department is “unprepared to meet the current threat” of cyber attack. The report, issued on Monday, is an...
GAO Names Areas of Threat to U.S.
It’s not a very good day when a security report concludes: Disruptive cyber activities expected to become the norm in future political and military conflicts. But such was the case as the Government Accountability Office took yet another critical look at the US federal security systems and found...