FirstBlood-#1683Delete Ambulance Provided to any Appointment
This issue was discovered on FirstBlood v3

On 2022-12-13, mr_xhunt Level 8 reported:


Sending DELETE method on endpoint /api/manageambulances.php with ambulance Id will Delete the ambulance provided to any Appointment.

Steps To Reproduce:

  1. Create an Appointment with ambulance:

  1. Now Get the abmulance_id assigned to you via following request:

  1. Send DELETE method request to /api/manageambulances.php with ambId parameter and Paste the value got from step 2

P2 High

Endpoint: /api/manageambulances.php

Parameter: ambId

Payload: d9010b9b-8c1e-427c-979a-8b41fce1fb37

FirstBlood ID: 77
Vulnerability Type: Access_control

Sending an unauthenticated DELETE request to /api/manageambulances.php will cause that ambulance to be deleted