Lucene search
K

9 matches found

Hacker One
Hacker One
added 2022/09/15 1:23 a.m.19 views

U.S. General Services Administration: access nagios dashboard using default credentials in ** omon1.fpki.gov, 3.220.248.203**

Summary: when i performing recon on fpki.gov i found nagios dashboard in omon1.fpki.gov, 3.220.248.203 and i accessed it using default credentials username: nagiosadmin password : nagiosadmin Steps To Reproduce: 1. visit these urls : https://omon1.fpki.gov/nagios/side.php...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2022/02/06 6:56 p.m.24 views

U.S. General Services Administration: IDOR at https://demo.sftool.gov/TwsHome/ScorecardManage/ via scorecard name

Hi Team, I have found a broken access control vulnerability on https://demo.sftool.gov/ under your /tws directory. I made two accounts. One account i browsed to /tws and created a new scorecard. Here i can submit all information I need. The scorecard name is in the end of the URL...

0.6AI score
Exploits0
CISA
CISA
added 2021/10/07 12:0 a.m.14 views

CISA Releases Guidance: TIC 3.0 Remote User Use Case

In coordination with the Office of Management and Budget OMB, the Federal Chief Information Security Officer Council FCISO Trusted Internet Connections TIC Subcommittee, and the General Services Administration, CISA has released Trusted Internet Connections 3.0 Remote User Use Case. The Remote Us...

6.8AI score
Exploits0References8
Hacker One
Hacker One
added 2021/06/06 8:7 a.m.11 views

U.S. General Services Administration: User information disclosed via API

Summary: It appears that the requests for "system accounts" are fully available via an API endpoint that does not require authentication. The main issue is that among the information disclosed are user emails many with gmail addresses but the individual applications also include information that...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/12/21 9:30 a.m.17 views

U.S. General Services Administration: Unauthorized access to employee panel with default credentials.

Summary: Hello, When hunting for your web application. I have managed to go https://cars.fas.gsa.gov/cars/cars and get displayed with a form. I have already tried to login to Cars and without success. However i've noticed the loginChk function and change the value of the form hence bypassing it a...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2020/11/19 9:11 a.m.20 views

U.S. General Services Administration: CRLF INJECTION

Vulnerable url - https://www.epay.fas.gsa.gov/%0D%0ASet-Cookie:crlfinjection=crlfinjection Impact an attacker can set new header...

2AI score
Exploits0
Krebs on Security
Krebs on Security
added 2020/03/07 3:1 p.m.61 views

U.S. Govt. Makes it Harder to Get .Gov Domains

The federal agency in charge of issuing .gov domain names is enacting new requirements for validating the identity of people requesting them. The additional measures come less than four months after KrebsOnSecurity published research suggesting it was relatively easy for just about anyone to get...

6.8AI score
Exploits0
Drupal
Drupal
added 2016/03/02 12:0 a.m.15 views

USASearch - Moderately Critical - Access Bypass - SA-CONTRIB-2016-010

This module indexes public content using USASearch, a program of the General Services Administration’s Office of Citizen Services and Information Technology OCSIT, which offers free search services to any federal, state, local, tribal, or territorial government agency that can be used to search o...

7.1AI score
Exploits0References13
ThreatPost
ThreatPost
added 2011/11/03 7:49 p.m.13 views

Government's Cloud Audit Program Falls Behind Schedule

In a speech on Wednesday, Federal Chief Information Officer Steven VanRoekel said that a federal plan for qualifying and providing security audits on private sector cloud providers will become mandatory for any agency that wanted to contact with third party cloud providers, according to a report ...

0.4AI score
Exploits0References4
Rows per page
Query Builder