mrrootsec

Below you can find disclosed reports from our Hackevents which are events we host for our members to win rewards. You can find more information here.

Report Title	Event ID	Severity	Vulnerability Type
Reflected XSS at Register.php	FirstBlood v2	Medium	`Reflective XSS`
Reflected XSS at Login.php	FirstBlood v2	Medium	`Reflective XSS`
Environment Files Exposed Publicly	FirstBlood v2	High	`Information leak/disclosure`
Applogic at Modifying Appointment Details	FirstBlood v2	Medium	`Application/Business Logic`
drAdmin account recoverable using editpassword.php	FirstBlood v2	CRITICAL	`Application/Business Logic`
[COLLAB ] Session Invalidation at Vaccine Management Portal	FirstBlood v2	Low	`Application/Business Logic`
Stored XSS at /book-appointment.php	FirstBlood v2	High	`Stored XSS`
Stored XSS Leads to Admin Account Takeover	FirstBlood v2	High	`Stored XSS`
Open Redirect at Doctor Panel	FirstBlood v2	Low	`Open Redirect`
Broken Access Control Leads to Information Leak	FirstBlood v2	Medium	`Application/Business Logic`
Doctor Role can be obtained using leaked invite code	FirstBlood v2	Medium	`Auth issues`
AppLogic when registering as a doctor using invite code	FirstBlood v2	Medium	`Auth issues`
Reflected XSS at /login.php using goto patameter leads to Account Takeover	FirstBlood v2	Medium	`Reflective XSS`
[COLLAB]Vaccination Management portal is vulnerable to Stored XSS	FirstBlood v2	High	`Stored XSS`
[COLLAB]vaccination-manager Login page is vulnerable to SQL injection	FirstBlood v2	CRITICAL	`SQL Injection`
[COLLAB]PII leakage via vax-proof-list API	FirstBlood v2	CRITICAL	`Information leak/disclosure`
[COLLAB]Upload Proof of Vaccination is vulnerable to RCE	FirstBlood v2	CRITICAL	`Deserialization`

BugBountyHunter