FirstBlood-#506Several Information leakage through vaccination proof list
This issue was discovered on FirstBlood v2

On 2021-10-25, holybugx Level 5 reported:


Hello Sean,

Sensitive information about user's vaccination proofs is leaked through the exposed /vaccination-manager/api/vax-proof-list.php API endpoint. Proper authorization checks are not implemented on the API endpoint, which makes this attack possible. User's Email Addresses, IP Addresses, User-Agents and Vaccination Proofs are leaked using this vulnerability.

The Swagger API exposes the /vaccination-manager/api/vax-proof-list.php API endpoint which doesn't contain any authorization.

The Swagger API is accessible through several paths. Some of which are:


Steps To Reproduce

  1. Open the following URL to gain access to all vaccination proofs shared by users:


Here is an example leakage from the mentioned API endpoint:

   "email":"[email protected]",
   "user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko\/20100101 Firefox\/93.0",
   "created_at":"2021-10-26 17:33:34"

An attacker can view the other user's vaccination proof using their leaked proof. It is possible to use the leaked proof's in the following format:


  • User's Vaccination Proofs leakage, containing their Email address, IP Address, User-Agents and Proofs Images.


  • Implementing proper authorization to access the /vaccination-manager/api/vax-proof-list.php API endpoint.

Kind Regards,



This report contains multiple vulnerabilities:

  • Info leak
  • Information leak/disclosure

FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure

The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php

FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure

The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php