FirstBlood-#779Info disclosure on /vaccination-manager/api/vax-proof-list.php
This issue was discovered on FirstBlood v2

On 2021-10-28, xnl-h4ck3r Level 4 reported:


There is a publicly available Swagger API on /vaccination-manager/api.php. The API isn't public so this swagger UI should not be public either. This Swagger UI lets us know about endpoint /vaccination-manager/api/vax-proof-list.php. An attacker can look at PII for any user who has uploaded a proof of vaccination using this endpoint, and there is no requirement for authentication or authorisation to access the information.

Steps to reproduce

  1. Go to vaccination-manager/pub/upload-vaccination-proof.php and upload a document.
  2. Send a get request to /vaccination-manager/api/vax-proof-list.php and observe PII info of users who uploaded the info in step 1:


The publicly available Swagger UI gives an attacker information about a private API endpoint. Using this endpoint, the PII information of any user who uploads a proof of vaccination is accessible by anyone, without any form of authentication or authroisation.


Endpoint: /vaccination-manager/api/vax-proof-list.php

This report contains multiple vulnerabilities:

  • Info leak
  • Information leak/disclosure

FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure

The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php

FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure

The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php