FirstBlood-#142 — IDOR on newly registered doctor
This issue was discovered on FirstBlood v1
On 2021-05-10, codersanjay Level 3 reported:
A newly registered doctor cannot see the patients info in general,
but with aptid known or randomly guessing, he can still get the patients info by just sending a GET request to
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.