FirstBlood-#1368Can change the data of the cancelled Appointments
This issue was discovered on FirstBlood v3

On 2022-12-09, mr_xhunt Level 7 reported:


Although this is not a Security Issue but After Cancelling the Appointments, again visiting the api to cancel works successfully and If we change the name & DOB it is also reflected their.

Steps To Reproduce:

  1. Create an Appointment and Then cancel it and record it in Burp

  1. Cancelled POC

  1. Now again send the Cancel request with the Api but this time change the name &dob headers value

  1. POC : Data got altered even though it was cancelled

P4 Low

Endpoint: /manageappointment.php

Parameter: *

Payload: *

FirstBlood ID: 49
Vulnerability Type: Application/Business Logic

Users can modify their name/dob via the header parameters on modify-appointment.php despite this being restricted on the web application