| Report Title | Event ID | Severity | Vulnerability Type |
|---|---|---|---|
| Test user can query all patients | FirstBlood v2 | Medium | Application/Business Logic |
| rXSS at /register.php | FirstBlood v2 | Medium | Reflective XSS |
| Open Redirect on /logout.php | FirstBlood v2 | Low | Open Redirect |
| rXSS on login.php leads to account takeover | FirstBlood v2 | Medium | Reflective XSS |
| Account takeover via /drpanel/drapi/editpassword.php | FirstBlood v2 | CRITICAL | Application/Business Logic |
| POST-based rXSS on login.php | FirstBlood v2 | Medium | Reflective XSS |
| Stored XSS on /manageappointment.php | FirstBlood v2 | High | Stored XSS |
| Stored XSS on /cancelled.php | FirstBlood v2 | High | Stored XSS |
| RCE via PHAR deserialization on /api/checkproof.php | FirstBlood v2 | CRITICAL | Deserialization |
| Leaked proofs of vaccination on /vaccination-manager/api/vax-proof-list.php | FirstBlood v2 | CRITICAL | Information leak/disclosure |
| Stored XSS on /vaccination-manager/portal.php | FirstBlood v2 | High | Stored XSS |
| Patients can still change their application email | FirstBlood v2 | Medium | Application/Business Logic |
| Drpanel admin username enumeration | FirstBlood v2 | Low | Application/Business Logic |
| SQL Injection on /vaccination-manager/login.php | FirstBlood v2 | CRITICAL | SQL Injection |
| Server misconfigurations post-RCE | FirstBlood v2 | CRITICAL | Deserialization |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles