Summary by National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
None of the documents are accessible without logging in. The names of the files and their authors provide little information.
Unauthenticated metadata disclosure of protected NASA flight reports and mission schedules via /ajax/activity
Disclosed by madhu873- Engagement National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
- Disclosed date 5 months ago
- Priority P5 Bugcrowd's VRT priority rating
- Status Informational This vulnerability is seen as an accepted business risk
Summary by madhu873
This report describes a metadata exposure issue in NASA's airbornescience.nasa.gov domain, where unauthenticated users could access internal document titles, mission names, timestamps, and author usernames through the /ajax/activity endpoint. While the documents themselves were protected, the metadata could potentially assist in profiling operations, schedules, and researchers. The issue was responsibly disclosed under NASA's Vulnerability Disclosure Program via Bugcrowd and marked as informational (P5).