[COLLAB] Exposed api allows viewing of all vaccination proof leaking user emails

FirstBlood-#743 — [COLLAB] Exposed api allows viewing of all vaccination proof leaking user emails
This issue was discovered on FirstBlood v2

This report has been reviewed and accepted as a valid vulnerability on FirstBlood!

On 2021-10-27, amec0e Level 3 reported:


Hey again mate,
From my previous RCE report Here getting the directory listings we can see that there is a endpoint api.php located in the directory /vaccination-manager/ this brings us to a Swagger UI in which we can see a new endpoint called vax-proof-list.php upon viewing this we can see all the user emails of those who have uploaded vaccination proofs.
Impact:
PII Leak of user emails and IP addresses
Steps to Reproduce:

Visit the endpoint /vaccination-manager/api.php


You can see the new endpoint leaked on page, visiting this and we get a leak of users emails including their IP address.

In Collaboration with thebinarybot

This report has been publicly disclosed for everyone to view

P1 CRITICAL

Endpoint: /vaccination-manager/api.php

Parameter: NA

Payload: NA

FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure

The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php

BugBountyHunter

Impact:

Steps to Reproduce: