001. Coordinated Vulnerability Disclosure – Public Sector (Spain)

Coordinated report submitted through a national CERT.

Context

This section documents a real-world case of responsible security disclosure involving a public-sector system in Spain.

The finding was identified through non-intrusive analysis and reported via an official channel, following the principles of coordinated, ethical and responsible disclosure.

Technical details have been intentionally limited to respect confidentiality and security best practices.

Environment

Sector: Public administration · Education.
Region: Spain.
Reporting channel: INCIBE-CERT.
System type: Publicly accessible web platform.

Finding classification

Category: Information Disclosure / Security Misconfiguration.
OWASP Top 10: A05 – Security Misconfiguration.
Overall severity: Medium (resulting from the accumulation of exposures, not exploitable in isolation).

Finding summary

Multiple configuration exposures were identified on a public-sector web platform that allowed unauthenticated access to certain informational components of the system.

Taken together, these exposures facilitated advanced reconnaissance, such as identifying valid users, enumerating available features and detecting active auxiliary services.

Although none of the detected elements allowed direct exploitation or unauthorized access to sensitive data on its own, their combination increased the attack surface and could amplify the impact of other vulnerabilities, should any exist.

The finding was analyzed in a non-intrusive manner and reported through a responsible disclosure process.

Security impact

Increased publicly exposed attack surface.
Easier reconnaissance ahead of targeted attacks.
Reduced effort required to chain additional vectors.

Methodology

Passive, non-intrusive analysis.
No exploitation of features.
No interaction with user accounts.

Status

Report received and registered by INCIBE-CERT.

Evidence

Technical evidence and the report acknowledgment are available upon request, in accordance with confidentiality and responsible-disclosure principles.