18 matches found
U.S. Dept Of Defense: Information Disclosure FrontPage Configuration Information
An information disclosure vulnerability was discovered in the Microsoft FrontPage configuration of a subdomain. This vulnerability allowed an attacker to view the version number and scripting paths of Sharepoint using Firefox...
U.S. Dept Of Defense: AWS Credentials Disclosure at ███
Sensitive AWS credentials were disclosed through a config.json file found on a server. An attacker could have used these credentials to gain access to sensitive information on the AWS account or perform arbitrary modifications on AWS resources. The affected system host was not disclosed. No CVE...
U.S. Dept Of Defense: springboot actuator is leaking internals at ██████████
Proof of Concept If you go to https://█████████/actuator you'll get a complete overview of all the endpoints that are accessable Suggestion: Use a Firefox Browser if possible, its json representation is well formed and the links are clickable ██████████ Impact Information Disclosure...
U.S. Dept Of Defense: Reflected cross site scripting in https://███████
It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. request.txt attacked poc attached Impact Cookie Stealing - A malicious user can steal cookies and use them to gain access to the...
U.S. Dept Of Defense: RXSS on █████████
Description: the WhatSubmitted parameter not filtered, i can insert " character and execute code JS Impact Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate...
U.S. Dept Of Defense: SSRF ACCESS AWS METADATA - █████
Hi Security Team, Based on https://hackerone.com/hack-us-h1c challenge, I have urgent vulnerability and the challenge doesn't accept reprots for now 1:56 AM . I have found a SSRF Vulnerability which allow access to the AWS metadata, using Parameter ?url= as shown blew An attacker can tunnel into...
U.S. Dept Of Defense: CVE-2020-3187 - Unauthenticated Arbitrary File Deletion
A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted...
U.S. Dept Of Defense: SQL Injection in █████
References Impact By using SQL injection, an attacker can exfiltrate the whole database, and gain RCE System Hosts ████ Affected Products and Versions ████ CVE Numbers Steps to Reproduce POC 1 - curl command injecting query, returning database version: curl https://█████████ -X POST...
U.S. Dept Of Defense: Reflected XSS at https://██████████/████████ via "███████" parameter
There is Reflected Cross site scripting issue at the following url: https://████████/█████ Proof Of Concept https://████/███?███=%22onfocus%3d%22alertdocument.domain%22autofocus%3d%22&submit=Search ███ Best Regards @pelegn Impact Cookies Exfiltration SOAP Bypass CORS Bypass Executing javascript o...
U.S. Dept Of Defense: Reflected XSS at https://██████/██████ via "██████" parameter
There is Reflected Cross site scripting issue at the following url: https://██████████/██████ Proof Of Concept https://████████/█████████████████=%22%3E%3Csvg/onload=alert1%3E█████████ █████ Best Regards @pelegn Impact Cookies Exfiltration SOAP Bypass CORS Bypass Executing javascript on the victi...
U.S. Dept Of Defense: XSS on https://███████/██████████ parameter
PoC https://███████/███ Pameter 'xxslots' must be invalid Payload xss%22%20tabindex%3d1%20autofocus%20onfocus%3d%22alert ███████ Impact XSS on https://███████/ System Hosts ██████████ Affected Products and Versions CVE Numbers Steps to Reproduce Go to XSS on https://██████/██████████ Suggested...
U.S. Dept Of Defense: XSS on https://██████/███ via █████ parameter
PoC https://██████████/███████████=███████" ████████ Impact XSS at https://█████████/ System Hosts █████████ Affected Products and Versions CVE Numbers Steps to Reproduce Go to https://████/██████████████████=████" Suggested Mitigation/Remediation Actions...
U.S. Dept Of Defense: XSS on https://████/ via ███████ parameter
PoC https://████████/██████=█████████%22%20o%3Cbr%3Enfocus=confirm1337%20autofocus%20tabindex=1%20xss Payload onfocus=confirm1337 autofocus tabindex=1 xss WAF bypass Tags are removed from user input. It is allowed to bypass WAF. ███ Impact XSS on https://████████/ System Hosts ███ Affected Produc...
U.S. Dept Of Defense: XSS Reflected - ██████████
Hi Team, I found a XSS Reflected. https://██████████/███onload=%22prompt1 Thanks DRauschkolb Impact XSS vulnerabilities can be used to trick a web user into executing a malicious script, potentially revealing a user's web session information or modify web content & even steal cookies. System Host...
U.S. Dept Of Defense: Reflected XSS on https://██████
Description: Reflected XSS on https://███████ POC: https://███/████=https://████████████/%3C/script%3E%3Cscript%3Ealertorigin%3C/script%3E&██████ References ███████ Impact Unauthenticated Reflected XSS System Hosts ████████ Affected Products and Versions CVE Numbers Steps to Reproduce Step 1: Go ...
U.S. Dept Of Defense: xss on https://███████(█████████ parameter)
Greetings, i've found an xss on https://██████████████████ parameter link :████████.█████████████=%22/%3E%3Cimg%20src=x%20onerror=alert1%3E Payload : "/ ████████ best regards, frenchvlad Impact A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the...
U.S. Dept Of Defense: IDOR leads to Leakage an ██████████ Login Information
Hi security team, According to my report 1092618, The VDP team agreed that █████████ and it's subdomains is in the scope of the DoD program I continue testing that domain . . Issue Description: There is an IDOR in██████.███████ that connected with ████████.███████ highly protected encryption chat...
U.S. Dept Of Defense: CSRF in https://███
Summary:- --------- Cross-Site Request Forgery CSRF Impact 1-The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. 2-send many request via server i mean request to server and...