FirstBlood-#743[COLLAB] Exposed api allows viewing of all vaccination proof leaking user emails
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, amec0e Level 3 reported:

Hey again mate,

From my previous RCE report Here getting the directory listings we can see that there is a endpoint api.php located in the directory /vaccination-manager/ this brings us to a Swagger UI in which we can see a new endpoint called vax-proof-list.php upon viewing this we can see all the user emails of those who have uploaded vaccination proofs.

Impact:

PII Leak of user emails and IP addresses

Steps to Reproduce:

  • Visit the endpoint /vaccination-manager/api.php

You can see the new endpoint leaked on page, visiting this and we get a leak of users emails including their IP address.

In Collaboration with thebinarybot

P1 CRITICAL

Endpoint: /vaccination-manager/api.php

Parameter: NA

Payload: NA


FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure

The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php