BugCrowd Bug Bounty Disclosure: P5 – Session ID Disclosure via Referer Header to Third-Party Domains (nspires.nasaprs.com) – madhu873

November 4, 2025
Session ID Disclosure via Referer Header to Third-Party Domains (nspires.nasaprs.com)

Session ID Disclosure via Referer Header to Third-Party Domains (nspires.nasaprs.com)

Researcher: madhu873
Engagement: National Aeronautics and Space Administration (NASA) – Vulnerability Disclosure Program
Disclosed at: 2025-11-03T21:40:55Z
Priority: P5
Status: Informational

Summary

Session ID leakage in Referer headers on nspires.nasaprs.com

The application appends ;jsessionid to URLs. When pages load, the session ID is exposed in Referer headers sent to third-party domains (e.g., Google Analytics). Impact: Session tokens leave NASA’s control, creating risks of token exposure, third-party log storage, and potential hijacking.

Fix: Avoid embedding session IDs in URLs; use secure cookies for session management.

Activity Feed

Actor Details Timestamp (UTC)
madhu873 madhu873 sent a: message 2025-11-04T06:09:29Z
Martin_NASA Martin_NASA sent a: message 2025-11-03T21:41:56Z
Martin_NASA Martin_NASA published 2025-11-03T21:40:56Z
madhu873 madhu873 sent a: message 2025-11-03T20:48:06Z
madhu873 madhu873 sent a: message 2025-11-03T20:46:25Z
Martin_NASA Martin_NASA sent a: message 2025-11-03T17:05:47Z
madhu873 madhu873 requested 2025-08-25T02:51:11Z
teapot_bugcrowd teapot_bugcrowd sent a: message 2025-08-23T18:39:31Z
teapot_bugcrowd teapot_bugcrowd changed the state to to informational 2025-08-23T18:39:30Z
teapot_bugcrowd teapot_bugcrowd updated 2025-08-23T18:39:30Z
madhu873 madhu873 created the submission 2025-08-23T10:45:38Z

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features
Buy Me A Coffee Patreon
Tags: , ,

You may have missed

Bugcrowd Logo

BugCrowd Bug Bounty Disclosure: P5 – Session ID Disclosure via Referer Header to Third-Party Domains (nspires.nasaprs.com) – madhu873

November 4, 2025
image

CVE Alert: CVE-2025-11733 – lumiblog – Footnotes Made Easy

November 4, 2025
image

CVE Alert: CVE-2025-11724 – erinmorelli – EM Beer Manager

November 4, 2025
image

CVE Alert: CVE-2025-10896 – litonice13 – Master Blocks – Ultimate Gutenberg Blocks for Marketers

November 4, 2025
image

CVE Alert: CVE-2025-11890 – beycanpress – Crypto Payment Gateway with Payeer for WooCommerce

November 4, 2025