FirstBlood-#695User's vaacination data leak and with other info without needing to log into vaccine-manger portal
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, newrouge Level 3 reported:

Hey, i found that any user can can access all user's PII info and vaccine info, through unauthenticated endpoint /vaccination-manager/api/vax-proof-list.php.

Thank you

newrouge

P1 CRITICAL

Endpoint: /vaccination-manager/api/vax-proof-list.php This bug makes use of the following vulnerabilities in a chain:

  • Info leak
  • Information leak/disclosure


FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure

The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php

FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure

The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php