FirstBlood-#1481PII of doctors leaked through /api/doctors.php
This issue was discovered on FirstBlood v3

On 2022-12-10, 0xblackbird Level 5 reported:



I found out that /api/doctors.php returned all PII of any doctor.

Possible cause:

Since the endpoint wasn't referenced anywhere on the web interface, developers may have thought that it isn't a big deal. However they may have underestimated that content discovery through bruteforcing is still a thing.


I was able to leak private PII of doctors as an unauthorized user.

Steps to reproduce:

1) Visiting /api/doctors.php should list you all the registered doctors PII


I recommend restricting access to this endpoint to only allow privileged users to read such sensitive data.

Have a nice day.

Kind regards,


P2 High

Endpoint: /api/doctors.php

Parameter: N/A

Payload: N/A

FirstBlood ID: 66
Vulnerability Type: Information leak/disclosure

It is possible to leak doctors private information such as email and phone number via the /api/doctors.php endpoint. No authentication is needed.