32 matches found
Unauthenticated Access to Users PII
Description A Unauthorized/Unauthenticated Attacker can access PII data of all the Users. Some of the PII leaked are: first name, last name, email, username, IP address, twofactorsecret, twofactorrecoverycodes Proof of Concept http://localhost/api/user It shows you details of all the users...
U.S. Dept Of Defense: IDOR leaking PII data via VendorId parameter
Description: Dear DoD, I found one bug on your domain from Hack US program: █████ It's IDOR bug. Make sure to know that I didn't test many funcs here for IDOR. I didn't test for ATO Account Takeover. But you should fix this. Here's the PoC: ██████████ Thank you DoD! Impact An attacker could steal...
MyEasyDocs Exposed 30GB of Israeli and Indian Students PII Data
By Waqas MyEasyDocs is a Chennai, India based online documents verification platform whose Microsoft Azure server exposed data of over… This is a post from HackRead.com Read the original post: MyEasyDocs Exposed 30GB of Israeli and Indian Students PII Data...
Trellix: Sensitive Information Disclosure
Sensitive information, including Personally Identifiable Information PII data, was being disclosed through JEB 4.2.0.202106271614 licensed to a specific user. The vulnerability allowed unauthorized access to the information and could potentially lead to data breaches...
Exposure of Sensitive Information to an Unauthorized Actor in microweber/microweber
Description Any unauthorized/unauthenticated actor can find the PII data of all the users registered in the application. PII - Personally Identifiable Information leaked by this application is first name, last name, email id, picture, username, isadmin status Proof of Concept 1 Visit...
HackerOne: PII data Leakage through hackerone reports
Summary: I found PII data leakage through the HackerOne report. I found a link in one of the disclosed report that allow me to get the address and phone numbers of security researchers. Here I got the address and phone number of ████ ███ Vulnerability Name: PII data Leakage through Steps to...
Curve: Sensitive Info Leak - An Attacker Can Retrieve All the Users Mobile Numbers at https://website-api.production.curve.app/api/waitlist/us
Hi, When am going through all the JS files in curve.com I found a link called "/usa" is used to create Curve USA Waitlists by entering your name, email address, mobile number and address details. F874173 Then there is a functionality called "Track my Position" by using which joined users can view...
U.S. Dept Of Defense: [Critical] Insufficient Access Control On Registration Page of Webapps Website Allows Privilege Escalation to Administrator
Summary: Hello. Due to insufficient access controls and poor implementation of the registration at https://████████/████/login.cfm it was possible to register while privilege escalating to an administrator. Description: It was possible to tamper with the registration request at...
This Week in Security News: Unsecured Servers and Vulnerable Processors
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about vulnerabilities that can allow hackers to retrieve data from CPUs and mine cryptocurrency. Read on: May’s Patch Tuesday Include...
Starbucks: Information Leak - Github - JMS Information
Hi, After some research, I found a leak on GitHub that might lead to accessing sensitive data of employees or clients not sure based on the code. There is also a SAP S-user to access a cloud based HANA service. I have not confirmed what kind of data is in there to avoid potential legal issues. I...
pijao-quindio.gov.co XSS vulnerability
Open Bug Bounty ID: OBB-246357 Description| Value ---|--- Affected Website:| pijao-quindio.gov.co Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...
VSploit Web PII
This module emulates a webserver leaking PII data This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VSploit Web PII', 'Description' = 'This module emulates a webserver leaking PII data', 'License...