amec0e

Below you can find disclosed reports from our Hackevents which are events we host for our members to win rewards. You can find more information here.

Report Title	Event ID	Severity	Vulnerability Type
[COLLAB] Reflected XSS via login endpoint	FirstBlood v2	Medium	`Reflective XSS`
[COLLAB] Can register as a doctor and steal token upon login.	FirstBlood v2	High	`Reflective XSS`
[COLLAB] DOM XSS on register patch bypass	FirstBlood v2	Medium	`Reflective XSS`
[COLLAB] Stored XSS on Cancel appointment which leads to ATO	FirstBlood v2	High	`Stored XSS`
[COLLAB] Phar deserialization to RCE via upload vaccination proof	FirstBlood v2	CRITICAL	`Deserialization`
[COLLAB] Password change endpoint leads to ATO of drAdmin account.	FirstBlood v2	CRITICAL	`Application/Business Logic`
[COLLAB] Enumerate users via vaccination manager login	FirstBlood v2	CRITICAL	`SQL Injection`
[COLLAB] Exposed api allows viewing of all vaccination proof leaking user emails	FirstBlood v2	CRITICAL	`Information leak/disclosure`
[COLLAB] Stored/Blind XSS / DOS via vaccination portal	FirstBlood v2	High	`Stored XSS`
[COLLAB] Able to modify email post booking an appointment	FirstBlood v2	Medium	`Application/Business Logic`

BugBountyHunter