FirstBlood-#1445Get Request to `/api/doctors.php` leaks the PII of the Doctors
This issue was discovered on FirstBlood v3



On 2022-12-10, mr_xhunt Level 8 reported:

Summary:

Sending GET request to /api/doctors.php leaks the PII of the doctors

Steps to Reproduce:

  1. Send Get request to follwoing : https://7730aa21333f-mrxhunt.a.firstbloodhackers.com/api/doctors.php

P2 High

Endpoint: /api/doctors.php

Parameter: *

Payload: *


FirstBlood ID: 66
Vulnerability Type: Information leak/disclosure

It is possible to leak doctors private information such as email and phone number via the /api/doctors.php endpoint. No authentication is needed.