FirstBlood-#671 — Vaccination proof leak
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-27, shivam18u Level 3 reported:
I found that the url
https://31b7af0d2012-shivam18u.a.firstbloodhackers.com/vaccination-manager/api/vax-proof-list.phpleaks the vaccination proof of all the submissions along with their emails.
The vaccination proof might contain PII. The images can be fetched from
Have a nice day!
FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure
The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php