Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

GSA Bounty - HackerOne Reports

View on HackerOne

49

Total Reports

3

Critical

9

High

19

Medium

11

Low

Root user disclosure in data.gov domain though x-amz-meta-s3cmd-attrs header

Reported by: sneakerz | Disclosed:

Low

Weakness: Information Disclosure

The user, who was deleted from Github Organization, still can access all functions of federalist, in case he didn't do logout

Reported by: sp1d3rs | Disclosed:

Medium

Weakness: Improper Authentication - Generic

Bounty: $300.00

Double Stored Cross-Site scripting in the admin panel

Reported by: sp1d3rs | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $300.00

[IDOR] The authenticated user can restart website build or view build logs on any another Federalist account

Reported by: sp1d3rs | Disclosed:

Medium

Weakness: Insecure Direct Object Reference (IDOR)

Bounty: $350.00

SQL injection in https://labs.data.gov/dashboard/datagov/csv_to_json via User-agent

Reported by: harisec | Disclosed:

Critical

Weakness: SQL Injection

Defacement of catalog.data.gov via web cache poisoning to stored DOMXSS

Reported by: albinowax | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $750.00

SSH server compatible with several vulnerable cryptographic algorithms

Reported by: northivanastan | Disclosed:

Medium

Weakness: Use of a Broken or Risky Cryptographic Algorithm

Blind Stored XSS In "Report a Problem" on www.data.gov/issue/

Reported by: rioncool22 | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $300.00

xmlrpc.php file enabled - data.gov

Reported by: zddw | Disclosed:

Medium

Weakness: Improper Access Control - Generic

[api.data.gov] Leak Valid API With out Verification -

Reported by: 0xsp | Disclosed:

Weakness: Improper Authentication - Generic

2FA bypass - confirmation tokens don't expire

Reported by: muskecan | Disclosed:

Medium

Weakness: Improper Access Control - Generic

SSRF in Search.gov via ?url= parameter

Reported by: niwasaki | Disclosed:

Low

Weakness: Server-Side Request Forgery (SSRF)

Bounty: $150.00

Information disclosure (system username, server info) in the x-amz-meta-s3cmd-attrs response header on data.gov

Reported by: ninja_cyber007 | Disclosed:

Low

Weakness: Information Disclosure

Server Side Misconfiguration (EMAIL SPOOFING)

Reported by: swag01 | Disclosed:

Weakness: Improper Authentication - Generic

federalist.18f.gov vulnerable to Sweet32 attack

Reported by: r0p3 | Disclosed:

Medium

Weakness: Man-in-the-Middle

Unclaimed Github Repository Takeover on https://www.data.gov/labs

Reported by: noobzombie | Disclosed:

Low

Weakness: Phishing

Email Spoofing - SPF record set to Neutral

Reported by: ramakanthk35 | Disclosed:

Weakness: Violation of Secure Design Principles

Race condition on the Federalist API endpoints can lead to the Denial of Service attack

Reported by: sp1d3rs | Disclosed:

Low

Weakness: Violation of Secure Design Principles

Bounty: $150.00

Reflected XSS on the data.gov (WAF bypass+ Chrome XSS Auditor bypass+ works in all browsers)

Reported by: sp1d3rs | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Reflected

Bounty: $300.00

HTTP Request Smuggling on https://labs.data.gov

Reported by: puppykok | Disclosed:

High

Weakness: HTTP Request Smuggling

Bounty: $750.00

Page 1 of 3 Next