FirstBlood-#1061 — PII data leak
This issue was discovered on FirstBlood v3
On 2022-12-08, twsec Level 2 reported:
i have discovered an PII info leak while navigating to /api/doctors.php
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1670526097/fmk5cgcatnml7s2g3gpx.jpg)
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1670526098/sg8hhevkzbbicrvcchfd.jpg)
P2 High
Endpoint: /api/doctor.php
Parameter: /api/doctors.php
Payload: /api/doctor.php
FirstBlood ID: 66
Vulnerability Type: Information leak/disclosure
It is possible to leak doctors private information such as email and phone number via the /api/doctors.php endpoint. No authentication is needed.
Creator & Administrator
Congratulations you were the second user to discover this!