FirstBlood-#279 — A non admin doctor can still view patient information using the api
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-15, twsec reported:
after logging in as non admin doctor we notice that we are not allowed to view patient information.
but using the api **/drapi/query.php?aptid=<idnumber> he can access that info
This report has been publicly disclosed for everyone to view
enter the patient information
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.