Tennessee Valley Authority - HackerOne Reports
View on HackerOne11
Total Reports
1
Critical
0
High
7
Medium
2
Low
File listing through scripts folder
Reported by:
itssixtynein
|
Disclosed:
Weakness: File and Directory Information Exposure
SQL Injection on https://soa-accp.glbx.tva.gov/ via "/api/" path - VI-21-015
Reported by:
yassinek3ch
|
Disclosed:
Critical
Weakness: SQL Injection
Incorrect Authorization leads to see other users Documents Uploaded
Reported by:
mohs3n
|
Disclosed:
Medium
Weakness: Incorrect Authorization
xss reflected - pq.tva.com
Reported by:
thiagomarques
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Reflected
internal path disclosure via register error
Reported by:
mohs3n
|
Disclosed:
Low
Weakness: Information Exposure Through an Error Message
Rate limit missing sign-in page
Reported by:
dreamer_eh
|
Disclosed:
Medium
Weakness: Improper Restriction of Authentication Attempts
captcha bypass leads to register multiple user with one valid captcha
Reported by:
mohs3n
|
Disclosed:
Medium
Weakness: Business Logic Errors
access to profile & reset password page without authentication
Reported by:
mohs3n
|
Disclosed:
Medium
Weakness: Improper Authentication - Generic
xss reflected - pqm.tva.com
Reported by:
thiagomarques
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Reflected
Admin.MyTVA.com Customer lookup and internal notes bypass
Reported by:
itssixtynein
|
Disclosed:
Medium
Weakness: Authentication Bypass Using an Alternate Path or Channel
No Rate Limit On Forgot Password Page
Reported by:
sailesh01nik
|
Disclosed:
Low