FirstBlood-#143 — IDOR on /drpanel/drapi/qp.php endpoint
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-10, codersanjay reported:
When a new doctor registers , he cannot search for patient details.
But by sending a POST request to the following end point from the newly created doc account, Full PII disclosure of all patients is possible.
Full PII disclosure.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.