FirstBlood-#1804Appointment UUIDs leaked through new ambulances API endpoint
This issue was discovered on FirstBlood v3

On 2022-12-17, 0xblackbird Level 5 reported:



I found out that the /api/ambulances.php discloses UUIDs + private data of all appointments made (where ambulance was set to 1 during booking). This should not be possible for unprivileged users.

Possible cause:

The developers may have added the all keyword for debugging purposes but forgot about it somehow.


I was able to reveal the all the private appointment's data + UUID (this allows me to modify them for example). This shouldn't be possible.

Steps to reproduce:

1) After visiting /api/ambulances.php?select=all for example, we can find the full location in the response


I recommend removing all keyword from this endpoint for unprivileged users.

Have a nice day!

Kind regards,


P2 High

Endpoint: /api/ambulances.php

Parameter: select

Payload: all

FirstBlood ID: 71
Vulnerability Type: Information leak/disclosure

The endpoint /api/ambulances.php leaks patient information if the parameter ?select=all is supplied