FirstBlood-#671Vaccination proof leak
This issue was discovered on FirstBlood v2

On 2021-10-27, shivam18u Level 3 reported:

Hi Sean,

I found that the url leaks the vaccination proof of all the submissions along with their emails.

The vaccination proof might contain PII. The images can be fetched from

Have a nice day!


Endpoint: /vaccination-manager/api/vax-proof-list.php

Parameter: .

Payload: .

FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure

The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php