320 matches found
U.S. Dept Of Defense: XSS on ███████
The report describes an XSS vulnerability found on the ████████ website. The vulnerability was triggered by visiting a specific URL with a crafted parameter. The impact of the vulnerability was that it could allow an attacker to execute arbitrary JavaScript code in the victim's browser...
U.S. Dept Of Defense: Cross Site Scripting
The researchers discovered a cross-site scripting XSS vulnerability on the www.███.██████████ website. The vulnerability was found to only work in the Firefox browser. The affected product and version were not specified. No CVE numbers were provided. The vulnerability allowed for the execution of...
U.S. Dept Of Defense: reflected xss [CVE-2020-3580]
The application was vulnerable to cross-site scripting XSS due to insufficient input validation. This allowed an attacker to inject malicious scripts that could be executed in the victim's browser...
U.S. Dept Of Defense: Missing Access Control Allows for User Creation and Privilege Escalation
The RSI Test Environment application had a vulnerability that allowed unauthenticated users to create new user accounts and grant them administrator privileges. This provided unauthorized access to restricted information and documents within the application...
U.S. Dept Of Defense: CVE-2021-39226 Discovered on endpoint https://██████/api/snapshots
CVE-2021-39226 was discovered in Grafana, where authenticated and unauthenticated users were able to view and delete snapshots by accessing specific endpoints. The vulnerability allowed for unauthorized access and deletion of snapshot data...
U.S. Dept Of Defense: DBMS information getting exposed publicly on -- [ ██████████ ]
A public file was found that exposed sensitive data from the website's database, including hashed user information and other configuration details. The file contained SQL statements that could be used to access the database, potentially revealing confidential data...
U.S. Dept Of Defense: Xss - ███
The parameter 'goal1Costs' was vulnerable to cross-site scripting XSS attack. The vulnerability allowed the attacker to inject malicious JavaScript code into the application, which could be executed by the users viewing the report...
U.S. Dept Of Defense: Xss Parameter: /<s>/[*]/<s>.css ████████
The request included a cross-site scripting XSS vulnerability in the parameter /\u003cs\u003e//\u003cs\u003e.css. The vulnerability was triggered by including malicious code in the request, which could have been executed when the request was processed...
U.S. Dept Of Defense: Improper Authentication (Login without Registration with any user) at ████
The ████ system was vulnerable to an improper authentication issue. Attackers could log in as any user without registration by exploiting the signin parameter in the ██████████ endpoint. This allowed them to authenticate and change the session of a victim to any other user...
U.S. Dept Of Defense: Full Access to sonarQube and Docker
The vulnerability involved the exposure of sensitive credentials and IP addresses in a JavaScript file. The researcher gained access to the organization's Hub Docker account and Sonar projects, allowing them to identify and assess the issue. The vulnerability was caused by a JavaScript file withi...
U.S. Dept Of Defense: Time based SQL injection at████████
A time based SQL injection vulnerability was found in the /pubs/index.php endpoint on ██████. The 'years' and 'authors' parameters were vulnerable, allowing time delays to be introduced in database queries. This could have led to sensitive data exfiltration from the database. The issue could be...
U.S. Dept Of Defense: Default Admin Username and Password on ███
A vulnerability was found where default administrator credentials could be used to access an application. This could have allowed unauthorized access...
U.S. Dept Of Defense: Elasticsearch is currently open without authentication on https://██████l
An Elasticsearch instance accessible at https://██████l was found to be open without authentication, exposing data to unauthorized access. The vulnerability allowed listing and extraction of sensitive data stored in the Elasticsearch indexes. To mitigate, authentication and authorization controls...
U.S. Dept Of Defense: Reflected XSS via Keycloak on ███ [CVE-2021-20323]
The Keycloak 8.0 and prior versions contained a cross-site scripting vulnerability. An attacker could have executed arbitrary script by inserting a malicious payload in the path of a POST request to the /auth/realms/master/clients-registrations/openid-connect endpoint. This allowed the server to...
U.S. Dept Of Defense: User automatically logged in as Sys Admin user on https://███/Administration/Administration.aspx
A vulnerability was discovered where any user could be automatically logged in as a system administrator on a web application. This allowed unrestricted access and privileges could be abused to modify user privileges, add or delete users, and upload files, jeopardizing the integrity of the...
U.S. Dept Of Defense: Unauthenticated Jenkins instance exposed information related to █████
Vulnerability description not provided...
U.S. Dept Of Defense: Adobe ColdFusion - Access Control Bypass [CVE-2023-38205] at ██████
An access control bypass vulnerability was discovered in Adobe ColdFusion, allowing attackers to bypass the restriction on external access to the ColdFusion Administrator...
U.S. Dept Of Defense: Blind Sql Injection in https://█████/qsSearch.aspx
A blind SQL injection vulnerability was discovered in the qsSearch.aspx page of the application. An attacker could exploit this vulnerability to bypass authentication and retrieve sensitive information from the database. The vulnerability has been mitigated by implementing appropriate security...
U.S. Dept Of Defense: CVE-2023-24488 xss on https://██████/
Vulnerability description not provided...
U.S. Dept Of Defense: Blind Sql Injection https:/████████
A blind SQL injection vulnerability was discovered on a website, allowing an attacker to execute arbitrary SQL commands...