th4nu0x0

Below you can find disclosed reports from our Hackevents which are events we host for our members to win rewards. You can find more information here.

Report Title	Event ID	Severity	Vulnerability Type
Viewing/Cancelling anyone's appointment	FirstBlood v1	High	`Insecure direct object reference`
[IDOR] Modifying anyone's Appointment information	FirstBlood v1	High	`Application/Business Logic`
Creating Admin account using a leaked token on r/BugBountyHunter and using restricted API calls .	FirstBlood v1	High	`Auth issues`
Event is leaking attendees Personal information.	FirstBlood v1	CRITICAL	`Information leak/disclosure`
Open Redirect on /drpanel/logout.php?ref=	FirstBlood v2	Low	`Open Redirect`
Modifying information on Appointment Form which are not allowed to be modified.	FirstBlood v2	Medium	`Application/Business Logic`
Reflective XSS on /login.php?goto=	FirstBlood v2	Medium	`Reflective XSS`
Registering as Doctor by using `Test` as invite code	FirstBlood v2	Medium	`Auth issues`
Changing Anyone's Password Including drAdmin (As a Non-authenticated user)	FirstBlood v2	CRITICAL	`Application/Business Logic`
Stored XSS on Cancel Appointment Message.	FirstBlood v2	High	`Stored XSS`
Newly Registered Doctor's can query for patient inforamtion	FirstBlood v2	Medium	`Application/Business Logic`

BugBountyHunter