FirstBlood-#1445Get Request to `/api/doctors.php` leaks the PII of the Doctors
This issue was discovered on FirstBlood v3

On 2022-12-10, mr_xhunt Level 8 reported:


Sending GET request to /api/doctors.php leaks the PII of the doctors

Steps to Reproduce:

  1. Send Get request to follwoing :

P2 High

Endpoint: /api/doctors.php

Parameter: *

Payload: *

FirstBlood ID: 66
Vulnerability Type: Information leak/disclosure

It is possible to leak doctors private information such as email and phone number via the /api/doctors.php endpoint. No authentication is needed.