Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneAlitoni224H1:1566758
HistoryMay 12, 2022 - 12:20 p.m.

U.S. Dept Of Defense: The dashboard is exposed in https://███

2022-05-1212:20:50
alitoni224
hackerone.com
12
sensitive data exposure
google dorking
mitigation measures

EPSS

0.005

Percentile

77.0%

JSON

Description:
At first, hello, after searching in sub-domains, the dashboard was accessed by Google Dorking Which is supposed to be protected
https://█████████l/arsys/forms/arpcp/ARPC%3AWeb%3AHier%3ADashboard/Default+Admin+View/?F536871388=1&mode=Submit&cacheid=c66791da

References

https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure

Impact

CWE-200
https://cwe.mitre.org/data/definitions/200.html

System Host(s)

█████████l

Affected Product(s) and Version(s)

website

CVE Numbers

CVE-2020-7130

Steps to Reproduce

After searching in Google dorking on a file extension or endpoint jspDashboard found in the URL
https://████████l/arsys/forms/arpcp/ARPC%3AWeb%3AHier%3ADashboard/Default+Admin+View/?F536871388=1&mode=Submit&cacheid=c66791da
██████

==Note==
that it is leaked, you can log out and bypass it by typing anything in the username box

Suggested Mitigation/Remediation Actions

Collect sensitive information on a local server and protect endpoints

With best regards and love
Toni…

Related

cvelist 1
prion 1
nvd 1
cve 1
cvelist
cvelist
CVE-2020-7130
2020-03-04 20:21:40
prion
prion
Information disclosure
2020-03-04 21:15:00
nvd
nvd
CVE-2020-7130
2020-03-04 21:15:11
cve
cve
CVE-2020-7130
2020-03-04 21:15:11

EPSS

0.005

Percentile

77.0%

JSON
Related for H1:1566758
cvelist1prion1nvd1cve1