Vulnerability feedback information visible in public projects
HackerOne report #490250 by
ashish_r_padelkar on 2019-02-02, assigned to
There is a feature in project called
Security Dashboard which is not visible publicly. When you browse security dashboard, the following endpoint is requested in background
This endpoint is also visible publicly which i think it should not because it reveals some important information.
This endpoint also works in following scenario
- When public projects have below settings
- Guest in private projects too able to see this information.
Steps To Reproduce:
- As a owner of public project set above settings shown in screen shot
- Now access the url with/without authentication or another user
Public project reveals security related information to unauthorised users
Warning: Attachments received through HackerOne, please exercise caution!