9 matches found
U.S. General Services Administration: access nagios dashboard using default credentials in ** omon1.fpki.gov, 3.220.248.203**
Summary: when i performing recon on fpki.gov i found nagios dashboard in omon1.fpki.gov, 3.220.248.203 and i accessed it using default credentials username: nagiosadmin password : nagiosadmin Steps To Reproduce: 1. visit these urls : https://omon1.fpki.gov/nagios/side.php...
U.S. General Services Administration: IDOR at https://demo.sftool.gov/TwsHome/ScorecardManage/ via scorecard name
Hi Team, I have found a broken access control vulnerability on https://demo.sftool.gov/ under your /tws directory. I made two accounts. One account i browsed to /tws and created a new scorecard. Here i can submit all information I need. The scorecard name is in the end of the URL...
CISA Releases Guidance: TIC 3.0 Remote User Use Case
In coordination with the Office of Management and Budget OMB, the Federal Chief Information Security Officer Council FCISO Trusted Internet Connections TIC Subcommittee, and the General Services Administration, CISA has released Trusted Internet Connections 3.0 Remote User Use Case. The Remote Us...
U.S. General Services Administration: User information disclosed via API
Summary: It appears that the requests for "system accounts" are fully available via an API endpoint that does not require authentication. The main issue is that among the information disclosed are user emails many with gmail addresses but the individual applications also include information that...
U.S. General Services Administration: Unauthorized access to employee panel with default credentials.
Summary: Hello, When hunting for your web application. I have managed to go https://cars.fas.gsa.gov/cars/cars and get displayed with a form. I have already tried to login to Cars and without success. However i've noticed the loginChk function and change the value of the form hence bypassing it a...
U.S. General Services Administration: CRLF INJECTION
Vulnerable url - https://www.epay.fas.gsa.gov/%0D%0ASet-Cookie:crlfinjection=crlfinjection Impact an attacker can set new header...
U.S. Govt. Makes it Harder to Get .Gov Domains
The federal agency in charge of issuing .gov domain names is enacting new requirements for validating the identity of people requesting them. The additional measures come less than four months after KrebsOnSecurity published research suggesting it was relatively easy for just about anyone to get...
USASearch - Moderately Critical - Access Bypass - SA-CONTRIB-2016-010
This module indexes public content using USASearch, a program of the General Services Administration’s Office of Citizen Services and Information Technology OCSIT, which offers free search services to any federal, state, local, tribal, or territorial government agency that can be used to search o...
Government's Cloud Audit Program Falls Behind Schedule
In a speech on Wednesday, Federal Chief Information Officer Steven VanRoekel said that a federal plan for qualifying and providing security audits on private sector cloud providers will become mandatory for any agency that wanted to contact with third party cloud providers, according to a report ...