d20s84

Below you can find disclosed reports from our Hackevents which are events we host for our members to win rewards. You can find more information here.

Report Title	Event ID	Severity	Vulnerability Type
Open Url redirection	FirstBlood v1	Low	`Open Redirect`
Stored Cross site scripting	FirstBlood v1	CRITICAL	`Stored XSS`
Info leak that leads to non admin login	FirstBlood v1	High	`Auth issues`
Patient's information can be obtained from a non admin account	FirstBlood v1	CRITICAL	`Application/Business Logic`
Email id can be modified for a patient	FirstBlood v1	High	`Application/Business Logic`
Stored XSS found on /manageappointment.php?success&aptid={id}	FirstBlood v2	High	`Stored XSS`
Reflective XSS at /login.php	FirstBlood v2	Medium	`Reflective XSS`
[unpatched]Reflective XSS on /login.php?action=login&ref={payload}	FirstBlood v2	Medium	`Reflective XSS`
Test Credentials are still working	FirstBlood v2	Medium	`Auth issues`
[Unpatched] Patient's information can be changed that is not allowed to change by the webapp	FirstBlood v2	Medium	`Application/Business Logic`
Admin password can be changed and retained by anyone	FirstBlood v2	CRITICAL	`Application/Business Logic`
[Unpatched] Stored XSS still working on admin's cancelled report panel	FirstBlood v2	High	`Stored XSS`

BugBountyHunter