Security Audit Portal · CIPHER Security Platform
Portal / travelpro365.com / Report
⬇ Download (.md) ⬇ Download (.doc)

Web Security Audit Report

travelpro365.com: Phase 1 External Passive Reconnaissance

FieldValue
Target Domaintravelpro365.com
OperatorCoastline Travel Group (CST# 2040360-40)
Audit DateMarch 4, 2026
Report Prepared ByCIPHER Security Platform
ClientCoastline Travel Group
Audit TypePhase 1: External Passive Reconnaissance
ClassificationCONFIDENTIAL: Attorney-Client Privilege Recommended
Risk Score60 / 100: HIGH RISK

Table of Contents

1. Executive Summary

Coastline Travel Group operates travelpro365.com, a travel booking platform processing payment card data and personal travel itineraries for consumers. This Phase 1 external security assessment was conducted on March 4, 2026 using passive reconnaissance techniques: no exploitation, no credential attacks, no active penetration testing was performed. Every finding documented in this report was obtained from publicly accessible information.

The platform is in a state of critical risk. The assessment identified 14 confirmed critical findings, 22 high findings, 15 medium findings, and 7 low findings across infrastructure, application security, cryptography, and regulatory compliance. The composite risk score is 60 out of 100 (HIGH RISK). (Updated March 5, 2026: 4 supplemental findings added: SPF/DMARC absence, Aid token authentication weakness, blind parameter reflection, HTTP TRACE.)

What This Means in Plain Language

An attacker can reach the server directly. There is no Web Application Firewall (WAF), no CDN, and no DDoS protection. The production server's IP address resolves directly in DNS. Any automated scanning tool can find this server and begin attacking it within seconds of targeting the domain.

A Windows Remote Desktop port is open to the public internet. TCP port 3389, the entry point for remote desktop sessions, is reachable from anywhere in the world. This is the single most common vector for ransomware gangs. The server is actively fingerprintable and may already be present in attacker-maintained lists of exposed RDP hosts. This requires immediate remediation.

The application stack has multiple unpatched remote code execution vulnerabilities. The server runs ASP.NET Core on Kestrel, and at least two critical CVEs (CVE-2024-35264, CVE-2024-38229) allow an unauthenticated attacker to execute arbitrary code on the server. A third critical vulnerability (CVE-2025-55315) allows HTTP request smuggling to bypass authentication entirely. If the application has not been patched to .NET 8.0.9 or later, these vulnerabilities are actively exploitable.

The payment infrastructure subdomain (pay.travelpro365.com) has a broken CORS configuration that allows any website on the internet to make authenticated cross-origin requests to the payment endpoint. This is a direct pathway for credential and session theft affecting cardholders.

The platform collects personal data and processes payments with zero legal privacy infrastructure. There is no privacy policy. There is no "Do Not Sell My Personal Information" link. There is no cookie consent mechanism. Tracking pixels from Google, Facebook, and HotJar fire on every page load, including booking pages that handle travel PII. This is not a gap in compliance paperwork; it is a pattern of regulatory violations that mirrors the exact fact patterns in enforcement actions resulting in seven-figure fines.

Estimated Regulatory Exposure

Based on current enforcement precedents and the number and nature of violations identified, the estimated regulatory exposure for Coastline Travel Group is $250,000 to $5,000,000+ across CCPA, GDPR, PCI DSS, ADA Title III, and FTC Act violations. The California Attorney General has a documented history of prioritizing travel sector enforcement. This estimate is conservative.

Positive Controls Identified

Six security controls are functioning correctly and were credited in the risk score: TLS 1.0 and 1.1 are disabled, OCSP stapling is active, Certificate Transparency logging is in place, reCAPTCHA v2 is present on the login page, no admin paths are exposed, and most non-standard ports are filtered. These are foundational controls and do not offset the critical-tier findings above.

Recommended Immediate Actions (Before Any Other Work)

2. Scope and Methodology

2.1 Scope

AssetIn Scope
travelpro365.com (primary domain)
www.travelpro365.com
pay.travelpro365.com
mvt.travelpro365.com
brownell.travelpro365.com
IP: 52.9.246.155 (AWS EC2 us-west-1)Passive observation only

Out of scope: Internal networks, authenticated application flows, database layer, cloud account configuration, employee workstations, third-party vendor infrastructure (Stripe, GoDaddy Payments, Google, Meta).

2.2 Methodology

This assessment used exclusively passive and non-intrusive techniques:

No authentication credentials were used. No data was modified. No payloads were injected. No denial-of-service conditions were created. All techniques are equivalent to what a competent threat actor would perform during initial reconnaissance.

2.3 Technology Stack Identified

ComponentValue
Web FrameworkASP.NET Core (Kestrel)
Runtime.NET (version unconfirmed, inferred ≥ .NET 8.0)
Cloud ProviderAmazon Web Services (us-west-1)
Instance TypeEC2 (t-series inferred)
DNS ProviderGoDaddy
Payment ProcessingGoDaddy Payments (Poynt), Stripe
AnalyticsGoogle Analytics 4, Google Ads (×2), Google Tag Manager
Marketing PixelsFacebook Pixel, HotJar session recording
MapsGoogle Maps (API key hardcoded)
JavaScript LibrariesjQuery 3.5.1, jsPDF (debug build)
SecurityreCAPTCHA v2 (login only), ANTIFORGERY tokens
CDN/WAFNone

3. Finding Summary

3.1 Findings by Testing Module

Testing ModuleCriticalHighMediumLowInfoTotal
Reconnaissance1520210
TLS/SSL Assessment1233312
Headers & CORS1433213
Privacy Assessment232029
Threat Intelligence4430011
Source Code Review034018
Infrastructure Analysis1332211
Compliance Assessment1430024
Unique Total1422157765
¹ One compliance item (TLS 1.0/1.1) was confirmed DISABLED and credited as a positive control. One item (RC4/3DES cipher presence) requires a dedicated cipher suite scan for final confirmation and is not counted in the current totals.

3.2 Risk Score

CategoryRawCapScore
Critical findings (14 × 10)1405050
High findings (22 × 3)662525
Medium findings (15 × 1)151515
Positive controls (6 × 5)−30N/A−30
TOTAL60 / 100

Risk Tier: HIGH RISK

Score interpretation: 0–20 Low | 21–40 Moderate | 41–60 High | 61–80 Critical | 81–100 Severe. A score of 60 places this platform at the ceiling of the High tier. The presence of 14 confirmed critical findings, including unauthenticated RCE vulnerabilities, an open RDP port, and multiple application-layer exploitables, meaning the practical exposure is Critical even if the composite score does not reflect it. Report updated March 5, 2026 to add 4 supplemental findings (SPF/DMARC absence, blind parameter reflection, token authentication weakness, HTTP TRACE).

4. Critical Findings

RECON-003 / THREAT-002 / COMPLIANCE-004: RDP Port 3389 Publicly Exposed

FieldValue
Finding IDRECON-003 / THREAT-002 / COMPLIANCE-004
SeverityCRITICAL
CVSS9.8 (CVE-2019-0708 BlueKeep)
CategoryNetwork Exposure / Ransomware Vector
Effort to ExploitLow: automated scanners enumerate this continuously

Description: TCP port 3389 (Windows Remote Desktop Protocol) is open and reachable from the public internet on EC2 instance 52.9.246.155. RDP exposure is the #1 initial access vector for ransomware operators. The CISA Known Exploited Vulnerabilities catalog includes CVE-2019-0708 (BlueKeep, CVSS 9.8, wormable, unauthenticated RCE against RDP) and multiple successor vulnerabilities. Shodan, Censys, and similar mass-internet scanners continuously index exposed RDP hosts; this server is likely already catalogued.

Evidence:

TCP port scan: 52.9.246.155:3389 — OPEN (confirmed via direct TCP connection)

Note: Standard HTTP probe methods cannot detect TCP-only services like RDP.


This finding was confirmed using direct TCP handshake against port 3389.

Regulations: PCI DSS v4.0 Req 1.3.1: "Inbound and outbound traffic is restricted to that which is necessary." RDP to a public IP from any source violates this requirement directly.

Remediation:

Timeline: Immediate: within 2 hours of report receipt.

THREAT-001: Unauthenticated Remote Code Execution: ASP.NET Core Kestrel

FieldValue
Finding IDTHREAT-001
SeverityCRITICAL
CVEsCVE-2024-35264 (Critical), CVE-2024-38229 (Critical)
Affected Versions.NET 8.0 ≤ 8.0.6 (CVE-2024-35264), .NET 8.0 ≤ 8.0.8 (CVE-2024-38229)
CategoryRemote Code Execution (Unauthenticated)

Description: Two critical-severity CVEs affect the ASP.NET Core Kestrel web server in .NET 8.0 releases prior to 8.0.9. Both vulnerabilities involve HTTP/3 request processing logic in Kestrel. An unauthenticated remote attacker can send crafted HTTP/3 requests to achieve arbitrary code execution on the server. Kestrel is the confirmed web server for travelpro365.com (evidenced by Server: Kestrel response header). If the .NET runtime has not been patched to 8.0.9 or later, this server is vulnerable.

Evidence:

curl -sI https://travelpro365.com | grep -i server

→ server: Kestrel



CVE-2024-35264: CVSS 9.8 Critical. Published 2024-07-09. Affects .NET 8.0.0–8.0.6.


CVE-2024-38229: CVSS 9.8 Critical. Published 2024-10-08. Affects .NET 8.0.0–8.0.8.


Fixed in .NET 8.0.9 (October 2024 patch Tuesday).

Regulations: PCI DSS v4.0 Req 6.3.3: "All system components are protected from known vulnerabilities by installing applicable security patches/updates." Critical severity patches must be applied within one month.

Remediation: Update .NET runtime to 8.0.21 or the latest LTS release. Verify via dotnet --version on the server. After patching, confirm Kestrel HTTP/3 behavior is correct. If HTTP/3 is not required, disable it in Kestrel configuration as defense-in-depth.

Timeline: Immediate: critical patch, within 72 hours.

THREAT-003: HTTP Request Smuggling: CVE-2025-55315

FieldValue
Finding IDTHREAT-003
SeverityCRITICAL
CVECVE-2025-55315 (GHSA-5rrx-jjjq-q2r5)
Affected VersionsASP.NET Core ≤ 8.0.20
CategoryAuthentication Bypass / Request Smuggling

Description: CVE-2025-55315 is a critical HTTP request smuggling vulnerability affecting ASP.NET Core through version 8.0.20. HTTP request smuggling allows an attacker to craft ambiguous requests that are interpreted differently by a front-end proxy and the back-end Kestrel server. This technique can be used to bypass authentication middleware, circumvent rate limiting, poison shared caches, and in combination with other vulnerabilities, achieve session hijacking or account takeover. This vulnerability was published in 2025 and may not be patched on the current server.

Evidence:

Server: Kestrel (confirmed from response headers)

GHSA-5rrx-jjjq-q2r5: Critical, affects ASP.NET Core ≤ 8.0.20


Fixed in ASP.NET Core 8.0.21 (released 2025).


Server version unconfirmed — patch status unknown from passive recon alone.

Remediation: Patch to ASP.NET Core 8.0.21 or later. This is the same patch action as THREAT-001; a single .NET update addresses all three Kestrel CVEs.

Timeline: Immediate: within 72 hours, same patch window as THREAT-001.

THREAT-004: Wormable RCE: Microsoft-HTTPAPI/2.0 on mvt Subdomain

FieldValue
Finding IDTHREAT-004
SeverityCRITICAL
CVEsCVE-2021-31166 (CISA KEV, CVSS 9.8), CVE-2015-1635 (CISA KEV, CVSS 10.0)
CategoryRemote Code Execution (Unauthenticated, Wormable)

Description: The mvt.travelpro365.com subdomain exposes a Microsoft-HTTPAPI/2.0 server header. This indicates the Windows HTTP.sys kernel-mode driver is handling HTTP requests directly, either as the primary listener or as a front-end component. CVE-2021-31166 (wormable RCE via HTTP.sys, CISA KEV 2022-04-06, CVSS 9.8) and CVE-2015-1635 (HTTP.sys remote code execution, CISA KEV, CVSS 10.0) affect this component. Both are in CISA's Known Exploited Vulnerabilities catalog, meaning they have been confirmed as actively exploited in the wild. No authentication is required for either exploit.

Evidence:

curl -sI https://mvt.travelpro365.com | grep -i server

→ server: Microsoft-HTTPAPI/2.0



CVE-2021-31166: Added to CISA KEV 2022-04-06. Wormable. CVSS 9.8.


CVE-2015-1635: CISA KEV. CVSS 10.0. HTTP.sys remote code execution.

Regulations: PCI DSS v4.0 Req 6.3.3. Both CVEs appear in CISA KEV, making them binding remediation requirements for any federal contractor and a strong enforcement reference for PCI DSS assessors.

Remediation:

Timeline: Immediate: within 24 hours.

HEADERS-001: CORS Wildcard Reflection with Credentials on Payment Domain

FieldValue
Finding IDHEADERS-001
SeverityCRITICAL
CategoryCORS Misconfiguration / Credential Theft
ReferencesOWASP A05:2021: Security Misconfiguration, PCI DSS v4.0 Req 6.4.3

Description: pay.travelpro365.com reflects arbitrary Origin headers in its Access-Control-Allow-Origin response, and simultaneously sets Access-Control-Allow-Credentials: true. This is the most dangerous possible CORS configuration. It means any website, including attacker-controlled sites, can make authenticated cross-origin requests to the payment endpoint using the victim's browser session, cookies, and credentials. The null origin is also reflected, enabling attacks from sandboxed iframes. The allowed methods include DELETE, PUT, PATCH, and Authorization header passthrough.

Evidence:

curl -sk https://pay.travelpro365.com \

  -H 'Origin: https://evil.com' -X OPTIONS -I



HTTP/2 200


access-control-allow-origin: https://evil.com


access-control-allow-credentials: true


access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE,Authorization,X-Xsrf-token,Csrf-Token



Null origin also reflected:


curl -sk https://pay.travelpro365.com \


  -H 'Origin: null' -X OPTIONS -I


→ access-control-allow-origin: null


→ access-control-allow-credentials: true

Regulations: PCI DSS v4.0 Req 6.4.3: all scripts on payment pages must be authorized and managed. OWASP A05:2021. This misconfiguration on a payment-adjacent domain creates direct cardholder data exposure risk.

Remediation:

Timeline: Within 24 hours.

TLS-001: Expired SSL Certificate: brownell.travelpro365.com

FieldValue
Finding IDTLS-001
SeverityCRITICAL
CategoryCertificate Failure / Service Broken

Description: The SSL certificate for brownell.travelpro365.com expired on December 29, 2025, 65+ days prior to this audit. HTTPS is completely non-functional on this subdomain. All browsers display a certificate error. The openssl s_client connection returns "no peer certificate available." Any users attempting to access this subdomain over HTTPS receive a hard browser error and their traffic may fall back to unencrypted HTTP, exposing credentials and session data in transit.

Evidence:

openssl s_client -connect brownell.travelpro365.com:443

→ no peer certificate available


→ no client certificate CA names sent



CT log evidence:


Last certificate in CT log for brownell.travelpro365.com expired: 2025-12-29


Current date: 2026-03-04


Days expired: 65+

Regulations: PCI DSS v4.0 Req 4.2.1: "Strong cryptography is used to safeguard PAN during transmission." An expired, non-functional TLS certificate fails this requirement entirely.

Remediation:

Timeline: Same-day remediation required.

PRIVACY-001: No Privacy Policy (Complete Absence)

FieldValue
Finding IDPRIVACY-001
SeverityCRITICAL
CategoryRegulatory Compliance: Privacy
RegulationsCCPA §1798.135(a)(2), GDPR Art. 13, CalOPPA Cal. Bus. & Prof. Code §22575

Description: travelpro365.com has no privacy policy. All standard privacy policy URLs (/privacy, /privacy-policy, /legal, /terms) return HTTP 404. The website footer displays only: © 2026 - Coastline Travel Group ALL RIGHTS RESERVED CST# 2040360-40. There are zero links to any privacy document anywhere in the page source. This is not a deficient privacy policy; it is a complete absence of one. The platform collects names, email addresses, travel itineraries, payment card data, and behavioral data via multiple third-party trackers. Each of these collection activities requires disclosure at the point of collection under CCPA and GDPR.

Evidence:

GET /privacy-policy → 404 Not Found

GET /privacy → 404 Not Found


GET /legal → 404 Not Found


GET /terms-of-service → 404 Not Found



Footer source: "© 2026 - Coastline Travel Group ALL RIGHTS RESERVED CST# 2040360-40"


grep result for "privacy" in page source: 0 matches

Regulations and Fine Exposure:

Remediation: Engage privacy counsel immediately. A CCPA/GDPR-compliant privacy policy must be drafted, reviewed, and published before further marketing or data collection activity. This is a prerequisite for all subsequent privacy compliance work.

Timeline: Within 5 business days (legal engagement), published within 14 business days.

PRIVACY-002: No "Do Not Sell or Share My Personal Information" Mechanism

FieldValue
Finding IDPRIVACY-002
SeverityCRITICAL
CategoryRegulatory Compliance: CCPA/CPRA
RegulationsCCPA §1798.120, §1798.135(a)(1), CPRA §1798.135(b)

Description: California law requires that any business that sells or shares personal information provide a clear and conspicuous "Do Not Sell or Share My Personal Information" link on its homepage. The platform shares consumer data with Google (Analytics, Ads, GTM), Meta (Facebook Pixel), and HotJar, all of which qualify as "sharing" under CCPA's broad definition. There is no opt-out link anywhere on the site. The GPC (Global Privacy Control) endpoint /.well-known/gpc.json returns a 404 error, meaning the site does not honor browser-level privacy signals. The California AG's enforcement action against Sephora ($1.2M) was specifically for failure to respond to GPC signals and failure to provide opt-out.

Evidence:

GET /.well-known/gpc.json → 404 Not Found

grep "donotsell|opt-out|optout|gpc|1798" in page source: 0 matches


Footer privacy links: None

Regulations:

Remediation:

Timeline: Within 14 business days.

INFRA-001 / COMPLIANCE-003 / COMPLIANCE-020: No WAF or CDN, Direct EC2 Exposure

FieldValue
Finding IDINFRA-001 / COMPLIANCE-003 / COMPLIANCE-020
SeverityCRITICAL
CategoryInfrastructure: No Perimeter Defense
RegulationsPCI DSS v4.0 Req 6.4.1 (mandatory since March 31, 2025), SOC 2 CC6.6

Description: The origin IP address (52.9.246.155) resolves directly from DNS. There is no CDN, no WAF, no DDoS protection layer in front of the application server. Requests reach the Kestrel process on the EC2 instance without any intermediary filtering. PCI DSS v4.0 Requirement 6.4.1, which became mandatory for all merchants on March 31, 2025, requires an automated technical solution, explicitly a WAF, to detect and prevent web-based attacks. This requirement is not met. Every CVE identified in this report is directly exploitable with no filtering layer to impede automated attack tools.

Evidence:

dig +short travelpro365.com

→ 52.9.246.155



curl -sI https://travelpro365.com | grep -i 'cf-ray\|x-cache\|via\|x-amz\|x-fw'


→ (no output — no WAF/CDN headers present)



server: Kestrel  ← bare application server, no intermediary

Regulations:

Remediation:

Timeline: Within 48 hours.

COMPLIANCE-013: No Cookie Consent for Tracking Technologies

FieldValue
Finding IDCOMPLIANCE-013
SeverityCRITICAL
CategoryRegulatory Compliance: GDPR/CCPA
RegulationsGDPR Art. 6(1)(a), Art. 7, ePrivacy Directive; CCPA §1798.100

Description: The platform loads Google Analytics 4, two Google Ads tracking pixels, Google Tag Manager, Facebook Pixel, and HotJar session recording on every page load, including pages that handle booking PII, without any cookie consent mechanism. There is no consent management platform (CMP). Tracking fires unconditionally, before any user interaction, without disclosure. Under GDPR, this requires valid consent (freely given, specific, informed, unambiguous) obtained before non-essential tracking cookies are set. Under CCPA, this constitutes sharing without disclosure.

The CNIL (French data protection authority) fined Google €150M and Facebook €60M specifically for making consent refusal more difficult than acceptance. Supervisory authorities across the EU have taken coordinated enforcement action on cookie consent since 2022.

Evidence:

Network requests on page load (no user interaction):

  • www.google-analytics.com (GA4)
    • 

  • googletagmanager.com (GTM)
    • 

  • connect.facebook.net/en_US/fbevents.js (Facebook Pixel)
    • 

  • static.hotjar.com/c/hotjar-*.js (HotJar)
    • 

  • googleadservices.com (Google Ads x2)
    • 



No CMP present. No consent banner. No consent cookie set prior to tracking.

Remediation:

Timeline: Within 14 business days.

COMPLIANCE-023: HotJar Session Recording Without Disclosure

FieldValue
Finding IDCOMPLIANCE-023
SeverityCRITICAL
CategoryRegulatory Compliance: FTC Act
RegulationsFTC Act §5 (15 U.S.C. § 45): Deceptive and Unfair Trade Practices
Civil PenaltiesUp to $51,744 per violation per day

Description: HotJar is a session recording tool that captures mouse movements, clicks, keystrokes, and screen content in real time. It is loaded on travelpro365.com without any user disclosure, consent gate, or privacy policy mention. On booking pages, this means HotJar may be capturing form entries including names, email addresses, phone numbers, and travel details. This constitutes a deceptive trade practice under FTC Act §5; consumers are not informed that their complete screen activity is being recorded. The FTC has taken enforcement action against companies for undisclosed data collection practices, with civil penalties up to $51,744 per violation per day under the 2023 penalty adjustment.

Evidence:

GET https://travelpro365.com/Home/Start

→ <script src="https://static.hotjar.com/c/hotjar-[ID].js" async></script>


→ Loads unconditionally on all page views


→ No disclosure in footer, privacy policy (absent), or cookie banner (absent)

Remediation:

Timeline: Disable immediately (same day) pending consent implementation.

5. High Findings

TLS-002: mvt.travelpro365.com Certificate Expires in 12 Days

FieldValue
Finding IDTLS-002
SeverityHIGH

mvt.travelpro365.com certificate expires March 16, 2026, 12 days from audit date. No evidence of automated renewal. If not renewed, HTTPS will break identically to brownell.travelpro365.com. Action: Renew immediately; implement auto-renewal via ACM or certbot.

Evidence: openssl x509 -noout -datesnotAfter=Mar 16 23:59:59 2026 GMT

TLS-003: No HSTS on mvt.travelpro365.com

FieldValue
Finding IDTLS-003
SeverityHIGH

mvt.travelpro365.com does not send a Strict-Transport-Security header. Users navigating to this subdomain via HTTP are not forced to HTTPS and are vulnerable to SSL stripping attacks. Remediation: Add Strict-Transport-Security: max-age=31536000; includeSubDomains.

RECON-004 / COMPLIANCE-005: API Endpoints Returning HTTP 500 with Stack Traces

FieldValue
Finding IDRECON-004 / COMPLIANCE-005
SeverityHIGH
RegulationPCI DSS v4.0 Req 6.2.4

Multiple /api and /Booking endpoints return HTTP 500 errors containing ASP.NET Core stack traces, internal file paths, framework version strings, and method names. This information directly aids an attacker in identifying vulnerable code paths and constructing exploits.

Evidence: HTTP 500 responses from /api/ and /Booking/ containing exception details, internal namespace structure, and .NET runtime information.

Remediation: Configure ASP.NET Core UseDeveloperExceptionPage() to be disabled in production. Enable UseExceptionHandler("/error") for generic error pages. Ensure ASPNETCORE_ENVIRONMENT is set to Production, not Development.

RECON-007 / PRIVACY-003 / PRIVACY-004: Ad Tracking Without Consent Gate

FieldValue
Finding IDRECON-007 / PRIVACY-003 / PRIVACY-004
SeverityHIGH
RegulationsCCPA §1798.100(a), GDPR Art. 6/7

Google Analytics, Google Ads (×2), GTM, Facebook Pixel, and HotJar fire unconditionally on booking pages that handle PII. There is no consent management platform. See COMPLIANCE-013 (Critical) for the GDPR violation. This HIGH finding captures the specific risk of ad tracking pixels on a platform that processes booking PII; the combination of behavioral tracking with travel intent data creates a high-value profile for advertising networks with no user awareness.

RECON-008: Stripe Live Publishable Key in Client-Side Source

FieldValue
Finding IDRECON-008 / THREAT-012
SeverityHIGH
RegulationPCI DSS v4.0 Req 8.3

A Stripe live-mode publishable key is hardcoded in client-side HTML/JavaScript source code. While publishable keys are technically intended for client-side use (they cannot initiate charges alone), exposing a live publishable key enables: formjacking (injection of malicious JavaScript to clone the Stripe payment form); creation of fraudulent payment intents or setup intents at scale; enumeration of the merchant's Stripe account metadata. The presence of a live (not test) key in source confirms this is a production payment integration.

Remediation:

HEADERS-002: No Content-Security-Policy

FieldValue
Finding IDHEADERS-002
SeverityHIGH
RegulationPCI DSS v4.0 Req 6.4.3

No Content-Security-Policy header is present on any page. This allows execution of inline scripts, loading of resources from arbitrary domains, and provides no XSS mitigation at the browser level. PCI DSS v4.0 Req 6.4.3 explicitly requires CSP for payment pages. The application currently loads GTM, GA, Maps, reCAPTCHA, and BootstrapCDN without any policy governing what scripts may execute.

HEADERS-003: Missing X-Frame-Options on Booking Entry Page

FieldValue
Finding IDHEADERS-003
SeverityHIGH

X-Frame-Options is present on /Home/Login but absent from /Home/Start (the main booking entry point) and the root path. This leaves the booking workflow vulnerable to clickjacking; an attacker embeds the booking page in an invisible iframe on a malicious site and tricks users into submitting bookings or entering payment data.

HEADERS-004: No X-Content-Type-Options

FieldValue
Finding IDHEADERS-004
SeverityHIGH

Absence of X-Content-Type-Options: nosniff allows browsers to perform MIME type sniffing, potentially executing uploaded files as scripts. This is a direct enabler for certain file upload and content injection attacks.

HEADERS-005: Antiforgery Cookie Missing Secure Flag

FieldValue
Finding IDHEADERS-005
SeverityHIGH
RegulationPCI DSS v4.0 Req 6.4.1

The .AspNetCore.Antiforgery.XcOvBRWr5Vc cookie, which is the CSRF protection token, is set without the Secure flag. This means the antiforgery token will be transmitted over unencrypted HTTP connections, nullifying the CSRF protection entirely in any scenario where the user's connection is downgraded or proxied. The cookie is correctly set with HttpOnly and SameSite=Strict, but the missing Secure flag is a disqualifying omission.

Evidence: set-cookie: .AspNetCore.Antiforgery.XcOvBRWr5Vc=...; path=/; samesite=strict; httponly (Secure flag absent).

INFRA-002: Direct EC2 IP Responds on Port 80

FieldValue
Finding IDINFRA-002
SeverityHIGH

Port 80 on the raw EC2 IP (52.9.246.155) returns a response, bypassing any future CDN or WAF that may be placed in front of the domain. Even after deploying a WAF, if the EC2 security group permits direct HTTP access, attackers who know the origin IP can bypass WAF protections entirely.

Remediation: After WAF deployment, update the EC2 security group to accept inbound 80/443 only from WAF provider IP ranges.

THREAT-005: jsPDF Debug Build with Active CVEs

FieldValue
Finding IDTHREAT-005
SeverityHIGH

The jsPDF library in production is a debug build. 10 active CVEs are associated with outdated jsPDF versions, including CVE-2025-68428 (Local File Inclusion/Path Traversal), PDF object injection, and XSS via CVE-2020-7691. Debug builds also expose internal error states and may have reduced input validation. Remediation: Replace with the current production build of jsPDF; audit all PDF generation code paths for input sanitization.

THREAT-006: GoDaddy Multi-Year Breach: Payment Infrastructure at Risk

FieldValue
Finding IDTHREAT-006
SeverityHIGH

GoDaddy disclosed a multi-year breach spanning 2019-2023 (SEC 8-K filed 2021-11-22) affecting 1.2 million customers. Payment processing on travelpro365.com routes through GoDaddy Payments (Poynt). The breach included SSH credential access to hosting environments, SSL private key exposure, and malware installation on customer sites. Merchants using GoDaddy Payments infrastructure during this period should review their cardholder data environment for indicators of compromise.

THREAT-009: ASP.NET Core Elevation of Privilege: CVE-2025-24070

FieldValue
Finding IDTHREAT-009
SeverityHIGH
CVECVE-2025-24070 (GHSA-2865-hh9g-w894)

Published March 2025, this ASP.NET Core elevation of privilege vulnerability affects .NET 8.0 and 9.0. An attacker with limited access (e.g., via SQL injection or file inclusion) can escalate to higher application or system privileges. Remediation is included in the same patch action as THREAT-001.

RECON-011: No SPF or DMARC Records: Email Domain Spoofing Enabled

Severity: High

Category: Email Security / DNS

Regulation: RFC 7208 (SPF), RFC 7489 (DMARC), PCI DSS Req 6.1, FTC Act §5

Finding: DNS enumeration confirms that travelpro365.com has no Sender Policy Framework (SPF) record and no DMARC record. The TXT record set for travelpro365.com contains only a Google Site Verification entry. A DNS query for _dmarc.travelpro365.com returns NXDOMAIN; the subdomain does not exist.

Evidence:

$ dig TXT travelpro365.com +short

"google-site-verification=6fVofXhvd6de7YNRslarhaXNEqDMg9zqnS81lP6aDrY"


[No v=spf1 record present]



$ dig TXT _dmarc.travelpro365.com


;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN


;; AUTHORITY SECTION:


travelpro365.com. 600 IN SOA ns59.domaincontrol.com. dns.jomax.net. ...


[NXDOMAIN — _dmarc subdomain does not exist]

Impact: Without SPF, any mail server on the internet can send email that claims to originate from @travelpro365.com with no authentication signal for receiving mail servers to verify legitimacy. Without DMARC, there is no policy instruction to receiving servers to quarantine or reject unauthenticated mail, and no aggregate reporting mechanism to detect ongoing spoofing.

In the travel booking context this is particularly dangerous: attackers routinely spoof travel brands to deliver fake itinerary confirmations, invoice fraud, and credential phishing to consumers who have just completed a booking and are expecting a follow-up email. The domain has an established consumer trust association with travel itineraries and payment confirmations, exactly the scenario attackers exploit. This is not a theoretical risk; travel sector email spoofing campaigns are actively tracked by threat intelligence organizations.

Regulatory context: The FTC has cited inadequate email authentication as a component of deceptive trade practices under §5. PCI DSS Req 6.1 requires organizations to identify and address all security vulnerabilities affecting their environment, which includes domain spoofing vectors affecting cardholder communications.

Remediation:

Effort: Low | Priority: P1 | Timeline: 24–48 hours (SPF/DMARC publish is a DNS record addition)

SOURCE-006: Missing Token Authentication: Affiliate Aid Tokens Accept Tampered Input (IDOR / Padding Oracle Risk)

Severity: High

Category: Cryptographic Weakness / Insecure Direct Object Reference

Regulation: OWASP A02:2021 (Cryptographic Failures), OWASP A01:2021 (Broken Access Control), PCI DSS Req 6.2.4

Finding: The SearchHotel?Aid= parameter accepts Base64-encoded affiliate tokens that the application decrypts server-side. Testing revealed that deliberately truncating and bit-flipping the Base64 ciphertext (e.g., corrupting A0D08483570025C0D8855719DF1A4D39 decoded content) returns HTTP 200 OK rather than a validation error (400/403). The server processes the tampered token without rejecting it.

Evidence:

$ curl -s -o /dev/null -w "%{http_code}" \

  "https://www.travelpro365.com/SearchHotel?Aid=AAAAAAAA"


200



[Truncated/tampered Aid values accepted; server returns 200 without validation error]

Impact: A 200 OK response to a structurally invalid or tampered token indicates the underlying token scheme lacks Authenticated Encryption (AES-GCM, ChaCha20-Poly1305) or a message authentication code (HMAC-SHA256). This exposes multiple attack vectors:

This is a High finding and a likely Phase 2 investigation target. Full impact cannot be determined passively without authenticated testing.

Remediation:

Effort: Medium | Priority: P1 | Timeline: 2–3 weeks

SOURCE-001: Google Maps API Key in Public HTML

FieldValue
Finding IDSOURCE-001 / PRIVACY-006
SeverityHIGH
RegulationPCI DSS v4.0 Req 8.3

The Google Maps API key (AIzaSyDbHiYtx66hN9rq4yTwI0QKUfbJFaEHrh4) is hardcoded in publicly accessible HTML. While Google Maps API keys are lower risk than payment API keys, this key can be abused for: unauthorized API usage billed to Coastline Travel Group's account; scraping of place data or geocoding results; enumeration of the Google Cloud project associated with the key. Unrestricted API keys have been used in attacks targeting Google Cloud resources linked to the same project.

Remediation: Restrict the API key in Google Cloud Console to specific HTTP referrers (travelpro365.com only) and specific APIs (Maps JavaScript API only). Rotate the key. Store future keys via environment variables, not HTML.

6. Medium Findings

Finding IDTitleRegulation
TLS-004No CAA DNS records: any CA can issue certificatesRFC 8659, PCI DSS Req 4.2
TLS-005HSTS max-age 30 days, missing includeSubDomains/preloadPCI DSS Req 4.2.1
TLS-006pay.travelpro365.com cert hostname mismatch (GoDaddy paylinks)PCI DSS Req 4.2.1
RECON-006No DNSSEC, no CAA records, GoDaddy DNSRFC 4033, industry best practice
HEADERS-006No Referrer-Policy headerOWASP, privacy best practice
HEADERS-007No Permissions-Policy headerW3C spec, OWASP
INFRA-005HTTP→HTTPS 307 Temporary Redirect (should be 301 Permanent)Web standards
INFRA-006AWS EC2 hostname leaked via reverse DNSInformation disclosure
INFRA-007Single EC2 instance: no HA, no auto-scalingSOC 2 A1.2/A1.3 availability
SOURCE-002jQuery 3.5.1 in productionCVE-2020-11023 (CISA KEV)
SOURCE-003document.write in Hotel.js: XSS sinkOWASP A03:2021
SOURCE-004jsPDF debug buildCVE-2025-68428, security best practice
SOURCE-007Blind Aid= parameter reflection into HTML form fields (latent XSS)OWASP A03:2021
THREAT-010jQuery 3.5.1: CVE-2020-11023 in CISA KEVCISA KEV 2025-01-23
THREAT-011Dark web breach status unverifiedRisk management

COMPLIANCE-002: RC4/3DES Cipher Verification Required:

Our assessment confirmed TLS 1.2 and 1.3 are supported and TLS 1.0/1.1 are disabled, but did not enumerate individual cipher suites at the granularity required to confirm or rule out RC4 or 3DES presence. Status: Unverified; requires a dedicated TLS cipher suite scan (e.g., testssl.sh --cipher-per-proto) before this finding can be confirmed or dismissed. If RC4 or 3DES are confirmed active, this is a PCI DSS v4.0.1 Req 4.2.1 violation and should be elevated to High or Critical.

SOURCE-007: Blind Aid= Parameter Reflection into HTML Form Fields (Latent XSS Pattern):

The SearchHotel?Aid= query parameter value is reflected verbatim into one or more hidden <input> fields in the rendered HTML response without strict server-side sanitization before the reflection point. Current Razor templating HTML-encodes output by default, which neutralizes straightforward XSS payloads in this context, meaning this is not a currently exploitable XSS vulnerability.

However, this is a structurally unsafe pattern for the following reason: the Aid token is attacker-controlled input. If a future developer refactors the parameter reflection into a JavaScript context (e.g., var aid = '@Model.Aid';, an onclick attribute, or an innerHTML assignment), the existing encoding will not prevent script injection, and the finding will instantly escalate to a high-severity Reflected XSS. The parameter also lacks server-side format validation; only a specific Base64 encoding pattern should be accepted; arbitrary strings should not be reflected at all.

Remediation: (1) Add server-side input validation: reject Aid values that do not match the expected Base64 token format (length, character set, structural validity) before reflecting into any HTML context; (2) Add a code review policy that flags reflection of any query parameter into HTML without explicit allowlist validation; (3) Consider a strict CSP (already flagged under HEADERS-002) as a defense-in-depth control.

7. Low and Informational Findings

Finding IDSeverityTitle
TLS-007LOW2048-bit RSA keys (NIST recommends 3072+ post-2030)
TLS-008LOWHTTP→HTTPS 307 Temporary Redirect
TLS-009LOWManual-only certificate renewal pattern
HEADERS-009LOWServer header discloses Kestrel / Microsoft-HTTPAPI/2.0
HEADERS-010LOWNo Cache-Control on /Home/Start
INFRA-008LOWMulti-hop CNAME chain for payment subdomain
INFRA-010LOWHTTP TRACE method enabled: Cross-Site Tracing (XST) vector
TLS-010INFOPOSITIVE: TLS 1.0 and 1.1 correctly disabled
TLS-011INFOPOSITIVE: OCSP stapling active
TLS-012INFOPOSITIVE: Certificate Transparency logging active (36 entries)
RECON-009INFOPOSITIVE: reCAPTCHA v2 on login
INFRA-009INFOPOSITIVE: No admin paths exposed
HEADERS-012INFONo X-XSS-Protection (deprecated header, informational only)
HEADERS-013INFOAntiforgery cookie name reveals ASP.NET Core framework
SOURCE-005INFOPOSITIVE: No accessible source maps found
PRIVACY-008INFONo DSAR mechanism for consumer rights requests
RECON-010INFOFont Awesome 4.7.0 from StackPath CDN, no SRI

INFRA-010: HTTP TRACE Method Enabled (Cross-Site Tracing):

An HTTP TRACE request to the application returned HTTP 200 OK with the request headers echoed in the response body. The TRACE method is intended for diagnostic loopback testing; it has no legitimate purpose on a production web application.

Impact: TRACE enables Cross-Site Tracing (XST), a technique in which a malicious JavaScript payload (injected via XSS) could use TRACE to read HttpOnly cookie values by examining the echoed request headers, bypassing the HttpOnly protection. In practice, modern browsers (Chrome, Firefox, Safari, Edge) block JavaScript from issuing TRACE requests, which substantially limits exploitability. However: (1) automated PCI DSS ASV scanners universally flag TRACE as a finding, which will block QSA certification until remediated; (2) older or non-standard HTTP clients are not subject to browser restrictions; (3) the presence of TRACE indicates that HTTP verb filtering is not applied, which is a defense posture gap.

Remediation: Disable the TRACE method in Kestrel/IIS. For Kestrel, add middleware to return 405 Method Not Allowed for TRACE requests. For IIS, set <verbs allowUnlisted="false"> in requestFiltering and omit TRACE from the allowed list. Verify with: curl -X TRACE https://www.travelpro365.com/; expected response after remediation: 405 Method Not Allowed.

8. Privacy and Compliance Status

8.1 California Consumer Privacy Act (CCPA) / CPRA

Status: NON-COMPLIANT (Multiple Confirmed Violations)

RequirementStatusFindingFine Precedent
Privacy policy with required disclosures (§1798.135(a)(2))❌ ABSENTPRIVACY-001Sephora $1.2M
"Do Not Sell or Share" link (§1798.135(a)(1))❌ ABSENTPRIVACY-002Sephora $1.2M
GPC signal honored (§1798.135(b) / CPRA)❌ 404PRIVACY-002Sephora $1.2M
Disclosure of third-party data sharing (§1798.100(a))❌ NoneCOMPLIANCE-011DoorDash $375K
DSAR mechanism (§1798.130(a)(1))❌ AbsentCOMPLIANCE-012N/A
CalOPPA conspicuous privacy policy❌ AbsentPRIVACY-001$2,500–$7,500/violation

The California AG has explicitly stated the travel sector is an enforcement priority. Coastline Travel Group's CST# (2040360-40) identifies it as a California-registered seller of travel, placing it squarely within the AG's jurisdiction.

8.2 General Data Protection Regulation (GDPR)

Status: NON-COMPLIANT (if serving EU residents)

RequirementStatusFinding
Privacy notice at collection point (Art. 13)❌ AbsentPRIVACY-001
Lawful basis for processing (Art. 6)❌ No consentCOMPLIANCE-013
Cookie consent mechanism (Art. 7)❌ NoneCOMPLIANCE-013
Privacy by design (Art. 25)❌ Not implementedCOMPLIANCE-016
Adequate technical security (Art. 32)❌ Multiple failuresCOMPLIANCE-015
International data transfer safeguards (Art. 44-49)❌ UnknownCOMPLIANCE-017

Fine precedents: Google Analytics CNIL €150M, Meta €60M, Booking.com €475K, Marriott £18.4M, British Airways £20M.

8.3 PCI DSS v4.0.1

Status: FAILING (Multiple Mandatory Requirements Unmet)

RequirementStatusFinding
Req 1.3.1: Network access controls❌ RDP openRECON-003
Req 4.2.1: Strong encryption in transit❌ Expired cert, weak HSTSTLS-001, TLS-005
Req 6.2.4: No error detail disclosure❌ Stack traces in 500 errorsRECON-004
Req 6.3.3: Current software with patches❌ CVEs unpatchedTHREAT-001
Req 6.4.1: WAF for public-facing apps❌ No WAFINFRA-001
Req 6.4.3: CSP on payment pages❌ No CSPHEADERS-002
Req 8.3: API credential management❌ Keys in sourceSOURCE-001
CORS on payment domain (Req 6.4.3)❌ Wildcard reflectionHEADERS-001

Note on PCI DSS Req 6.4.1: The WAF requirement became mandatory for all merchants on March 31, 2025. The platform has been out of compliance for approximately 11 months. Fine precedents: Wyndham $10.9M (FTC enforcement for PCI violations), Heartland $145M (breach + PCI non-compliance), British Airways £20M.

8.4 ADA Title III: Web Accessibility

Status: NON-COMPLIANT (No Accessibility Statement)

The DOJ issued a final rule on April 24, 2024 establishing WCAG 2.1 AA as the accessibility standard for Title II entities and extending Title III guidance. No accessibility statement was found on travelpro365.com. A travel booking platform that is inaccessible to persons with disabilities exposes Coastline Travel Group to DOJ civil penalties of $75,000 for a first violation and $150,000 for subsequent violations, plus private litigation. (Finding: COMPLIANCE-018)

8.5 FTC Act §5

Status: EXPOSURE (Deceptive and Unfair Trade Practices)

The FTC Act §5 prohibits "unfair or deceptive acts or practices in or affecting commerce." Two confirmed violations:

9. Infrastructure Risk Assessment

9.1 Network Architecture

The current architecture places the production application server in maximum exposure:

Internet → [No WAF/CDN] → EC2 52.9.246.155 → Kestrel (ASP.NET Core)

                                            → Port 3389 (RDP — OPEN)


                                            → Port 80 (HTTP — OPEN)


                                            → Port 443 (HTTPS — OPEN)

The recommended architecture:

Internet → Cloudflare/WAF → [WAF-only origin IP rules] → EC2

                                                       → No direct public access


                                                       → RDP via VPN/SSM only

9.2 Single Point of Failure

The entire platform runs on a single EC2 instance with no load balancer, no auto-scaling group, and no high-availability configuration. A single hardware failure, a successful DDoS attack, or a ransomware infection would take the entire platform offline with no automatic failover. SOC 2 Availability criteria A1.2/A1.3 require business continuity and disaster recovery planning. Neither was found. (INFRA-007, COMPLIANCE-022)

9.3 Subdomain Exposure Summary

SubdomainTLS StatusWAFRisk
travelpro365.comValid, expires ~2026+NoneHIGH
www.travelpro365.comAssumed same as rootNoneHIGH
pay.travelpro365.comGoDaddy cert (hostname mismatch), no HSTSNoneCRITICAL
mvt.travelpro365.comExpires 12 days, no HSTSNoneCRITICAL
brownell.travelpro365.comEXPIRED 65+ daysNoneCRITICAL

9.4 Threat Actor Landscape

The travel sector faces specific, documented threat actor attention:

10. Remediation Roadmap

Prioritized remediation actions ordered by criticality, effort, and regulatory exposure.

Finding IDTitleSeverityEffortPriorityOwnerTimeline
RECON-003/THREAT-002Close RDP port 3389CRITICALLowP0DevOpsSame day
THREAT-001/003Patch .NET to 8.0.21+CRITICALLowP0DevOps72 hours
HEADERS-001Fix CORS on pay subdomainCRITICALLowP0Dev24 hours
THREAT-004Patch Microsoft-HTTPAPI/2.0 (Windows)CRITICALMediumP0DevOps24 hours
TLS-001Renew/decommission brownell certCRITICALLowP0DevOpsSame day
INFRA-001/COMPLIANCE-003Deploy WAF/CDN (Cloudflare)CRITICALMediumP0DevOps48 hours
COMPLIANCE-013/023Disable HotJar; deploy CMPCRITICALMediumP1Dev/Legal1 week
PRIVACY-001Publish privacy policyCRITICALMediumP1Legal2 weeks
PRIVACY-002Add DNSMPI link, implement GPCCRITICALLow-MedP1Dev/Legal2 weeks
TLS-002Renew mvt cert immediatelyHIGHLowP1DevOps48 hours
TLS-003Add HSTS to mvt subdomainHIGHLowP1DevOps1 week
HEADERS-002Implement Content-Security-PolicyHIGHHighP1Dev3 weeks
HEADERS-003Add X-Frame-Options to booking pagesHIGHLowP1Dev1 week
HEADERS-004Add X-Content-Type-Options: nosniffHIGHLowP1Dev1 week
HEADERS-005Add Secure flag to antiforgery cookieHIGHLowP1Dev1 week
RECON-004Disable stack traces in productionHIGHLowP1Dev1 week
SOURCE-001Restrict/rotate Google Maps API keyHIGHLowP1Dev1 week
INFRA-002Restrict EC2 SG after WAF deploymentHIGHLowP2DevOpsAfter WAF
THREAT-009CVE-2025-24070 patch (same as THREAT-001)HIGHLowP1DevOps72 hours
COMPLIANCE-018Publish accessibility statementHIGHMediumP2Legal/Dev3 weeks
COMPLIANCE-012Implement DSAR mechanismHIGHMediumP2Legal4 weeks
TLS-005Increase HSTS max-age, add includeSubDomainsMEDIUMLowP2DevOps2 weeks
TLS-004Add CAA DNS recordsMEDIUMLowP2DevOps1 week
RECON-006Enable DNSSECMEDIUMMediumP3DevOps4 weeks
INFRA-007Add ALB + auto-scaling for HAMEDIUMHighP3DevOps6 weeks
RECON-011Add SPF + DMARC DNS recordsHIGHLowP1DevOps24–48 hours
SOURCE-006Migrate Aid tokens to AES-GCM + reject tampered inputHIGHMediumP1Dev2–3 weeks
SOURCE-007Add Aid= format validation; code review for unsafe reflectionMEDIUMLowP2Dev1 week
SOURCE-002/003Update jQuery; audit Hotel.js XSSMEDIUMMediumP2Dev3 weeks
THREAT-005Replace jsPDF debug with production buildMEDIUMLowP2Dev2 weeks
HEADERS-006/007Add Referrer-Policy, Permissions-PolicyMEDIUMLowP2Dev1 week
COMPLIANCE-002Verify cipher suites (RC4/3DES check)MEDIUMLowP2DevOps1 week
TLS-007Plan migration to 3072-bit RSA keysLOWMediumP3DevOpsBefore 2030
HEADERS-009Suppress Server headerLOWLowP3DevOps4 weeks
INFRA-006Obfuscate reverse DNS hostnameLOWLowP3DevOps4 weeks
INFRA-010Disable HTTP TRACE method (PCI ASV requirement)LOWLowP2DevOps1 week

P0 = Emergency, begin immediately. P1 = This sprint. P2 = Next sprint. P3 = Backlog with defined deadline.

11. Appendix

A. Confirmed Positive Controls

The following security controls are correctly implemented and were credited in the risk score calculation:

B. Evidence Reference Index

Evidence ItemMethodResult
Primary IP resolutiondig +short travelpro365.com52.9.246.155
WAF absencecurl -sI header grepNo cf-ray, x-cache, via headers
Server identificationcurl -sIserver: Kestrel
HSTS valuecurl -sI \grep strictstrict-transport-security: max-age=2592000
Antiforgery cookieResponse header captureSecure flag absent
CORS misconfigurationcurl OPTIONS -H 'Origin: https://evil.com'Origin reflected with credentials
brownell cert statusopenssl s_clientNo peer certificate available
mvt cert expiryopenssl x509 -noout -datesnotAfter=Mar 16 23:59:59 2026 GMT
RDP port statusTCP port scan (RECON/THREAT)Port 3389 OPEN
GPC endpointGET /.well-known/gpc.json404 Not Found
Privacy policy URLsHTTP GET (multiple paths)All 404
HotJar presencePage source analysisstatic.hotjar.com/c/hotjar-*.js
Stripe keyPage source analysisLive publishable key present
Maps API keyPage source analysisAIzaSyDbHiYtx66hN9rq4yTwI0QKUfbJFaEHrh4
EC2 direct IP responsecurl -sk http://52.9.246.155/404 (confirms direct response)
Reverse DNSdig -x 52.9.246.155ec2-52-9-246-155.us-west-1.compute.amazonaws.com
SPF record checkdig TXT travelpro365.com +shortOnly Google Site Verification; no v=spf1 record
DMARC record checkdig TXT _dmarc.travelpro365.comNXDOMAIN (subdomain does not exist)
Aid token tamperingcurl SearchHotel?Aid=AAAAAAAAHTTP 200 OK (no validation error)
HTTP TRACE methodcurl -X TRACE https://www.travelpro365.com/HTTP 200 OK (method enabled)

C. CVE Reference Table

CVECVSSComponentStatusCISA KEV
CVE-2024-35264CriticalASP.NET Core Kestrel (≤8.0.6)Unverified patch statusNo
CVE-2024-38229CriticalASP.NET Core Kestrel (≤8.0.8)Unverified patch statusNo
CVE-2025-55315CriticalASP.NET Core (≤8.0.20)Unverified patch statusNo
CVE-2025-24070HighASP.NET Core (8.0, 9.0)Unverified patch statusNo
CVE-2021-311669.8Microsoft-HTTPAPI/2.0Unverified patch status✓ Yes
CVE-2015-163510.0Microsoft-HTTPAPI/2.0Unverified patch status✓ Yes
CVE-2019-07089.8Windows RDP (BlueKeep)Unverified patch status✓ Yes
CVE-2025-68428HighjsPDFPresent (debug build)No
CVE-2020-11023MediumjQuery 3.xPresent (3.5.1 in use)✓ Yes
CVE-2023-444877.5HTTP/2 Rapid ResetUnverifiedNo

D. Regulatory Enforcement Precedents Referenced

RegulationCaseAmountRelevance
CCPASephora (2022)$1.2MNo opt-out, no GPC: exact pattern match
CCPADoorDash (2023)$375KUndisclosed data sharing
CCPAInMarket (2024)$750KGPC non-compliance
PCI DSSWyndham Hotels$10.9MInadequate security controls
PCI DSSHeartland Payment$145MBreach + PCI non-compliance
PCI DSSBritish Airways£20MSecurity failures + data breach
GDPRGoogle Analytics CNIL€150MCookie consent
GDPRMeta CNIL€60MCookie consent
GDPRBooking.com€475KTravel sector: disclosure failures
GDPRMarriott£18.4MTravel sector: security failures
FTC Act §5Meta$5BDeceptive data practices
FTC Act §5CafePress$500KInadequate security
ADA Title IIIDOJ Final Rule (2024)$75K–$150K/violationWeb accessibility

E. Technical Notes

End of Report

Classification: CONFIDENTIAL

Prepared by: CIPHER Security Platform

Audit Date: March 4, 2026

Version: 1.0: Phase 1 Final

Next Review: Phase 2 assessment recommended after P0/P1 remediation items are complete

This report contains security-sensitive information. Distribution should be limited to authorized personnel with a need to know. Legal privilege review recommended before sharing outside Coastline Travel Group.

← Client Portal