FirstBlood-#1683 — Delete Ambulance Provided to any Appointment
This issue was discovered on FirstBlood v3
On 2022-12-13, mr_xhunt
Level 8
reported:
Summary:
Sending DELETE
method on endpoint /api/manageambulances.php
with ambulance Id will Delete the ambulance provided to any Appointment.
Steps To Reproduce:
- Create an Appointment with ambulance:
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1670942245/ewgkjh0sobfj3piaserb.png)
- Now Get the
abmulance_id
assigned to you via following request:
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1670942283/nzwhhwb0xmtkfhkkeunu.png)
- Send
DELETE
method request to /api/manageambulances.php
with ambId
parameter and Paste the value got from step 2
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1670942429/lklpp7jjlz4p73ylbc5q.png)
P2 High
Endpoint: /api/manageambulances.php
Parameter: ambId
Payload: d9010b9b-8c1e-427c-979a-8b41fce1fb37
FirstBlood ID: 77
Vulnerability Type: Access_control
Sending an unauthenticated DELETE request to /api/manageambulances.php will cause that ambulance to be deleted