Electronic Protest Docketing System Epds
Monthly
Network access control bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows a remote attacker holding compromised administrator credentials to circumvent IP-based network restrictions by injecting an arbitrary X-Forwarded-For HTTP header. Both systems fail to validate or sanitize this header before using it to determine whether a request originates from an allowed network range, meaning a threat actor positioned anywhere on the internet can masquerade as a trusted network source. No public exploit code or CISA KEV listing has been identified at the time of analysis, and the high-privilege prerequisite (compromised admin credentials) significantly constrains opportunistic exploitation.
Insecure Direct Object Reference (IDOR) in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) permits remote unauthenticated attackers to harvest account-specific information from any registered user. By supplying an arbitrary 'user_id' value to the publicly exposed 'update-profile/' API endpoint, an attacker receives a JSON payload disclosing the target account's email address and associated metadata without any credential requirement. No public exploit code or CISA KEV listing exists at time of analysis, but the trivially low attack complexity - no authentication, no interaction, no special configuration - makes automated mass enumeration of the user base a realistic and immediate concern for agencies relying on these procurement dispute systems.
Privilege escalation in the U.S. GAO Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows authenticated remote attackers to elevate their privileges by tampering with the client-supplied 'epds_role_id' parameter, which the server accepts without verification. Reported by CISA-CG and tracked as EUVD-2026-37911 with a CVSS 4.0 score of 8.7, no public exploit identified at time of analysis. Both web applications have been patched by their respective government operators.
Authentication bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows remote, unauthenticated attackers to reset arbitrary user passwords by calling the '/update-profile/N' API endpoint, which fails to verify the requester's identity. Successful exploitation results in full account takeover of any user - including potentially privileged accounts handling federal bid protests and contract appeals - with no public exploit identified at time of analysis but a CVSS 4.0 base score of 9.3 (Critical) and CISA Coordinated Disclosure tracking.
Network access control bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows a remote attacker holding compromised administrator credentials to circumvent IP-based network restrictions by injecting an arbitrary X-Forwarded-For HTTP header. Both systems fail to validate or sanitize this header before using it to determine whether a request originates from an allowed network range, meaning a threat actor positioned anywhere on the internet can masquerade as a trusted network source. No public exploit code or CISA KEV listing has been identified at the time of analysis, and the high-privilege prerequisite (compromised admin credentials) significantly constrains opportunistic exploitation.
Insecure Direct Object Reference (IDOR) in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) permits remote unauthenticated attackers to harvest account-specific information from any registered user. By supplying an arbitrary 'user_id' value to the publicly exposed 'update-profile/' API endpoint, an attacker receives a JSON payload disclosing the target account's email address and associated metadata without any credential requirement. No public exploit code or CISA KEV listing exists at time of analysis, but the trivially low attack complexity - no authentication, no interaction, no special configuration - makes automated mass enumeration of the user base a realistic and immediate concern for agencies relying on these procurement dispute systems.
Privilege escalation in the U.S. GAO Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows authenticated remote attackers to elevate their privileges by tampering with the client-supplied 'epds_role_id' parameter, which the server accepts without verification. Reported by CISA-CG and tracked as EUVD-2026-37911 with a CVSS 4.0 score of 8.7, no public exploit identified at time of analysis. Both web applications have been patched by their respective government operators.
Authentication bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows remote, unauthenticated attackers to reset arbitrary user passwords by calling the '/update-profile/N' API endpoint, which fails to verify the requester's identity. Successful exploitation results in full account takeover of any user - including potentially privileged accounts handling federal bid protests and contract appeals - with no public exploit identified at time of analysis but a CVSS 4.0 base score of 9.3 (Critical) and CISA Coordinated Disclosure tracking.