Wowjoy Internet Doctor Workstation System Improper Authorization Vulnerability Allowing Information Disclosure
Vulnerability
An improper authorization vulnerability has been identified in Wowjoy's Internet Doctor Workstation System version 1.0. This issue resides in the file '/v1/prescription/list' and allows remote attackers to access sensitive user information, including names, ID card details, phone numbers, and medical conditions, without authorization.
Impact
Exploitation of this vulnerability leads to unauthorized access to personal user information, including identification and health-related data.
Reproduction
To reproduce this vulnerability, first access the '/ms-pocket-hospital/v1/pushConfig/detail/' endpoint to retrieve the 'hospitalId'. Then, send a POST request to the '/ms-hoc-online-prescription/v1/prescription/list' endpoint, including the 'hospitalId' to obtain the 'prescriptionId'. Finally, use the 'prescriptionId' to access the '/ms-hoc-online-prescription/v1/prescription/details/' endpoint, which will disclose the sensitive information.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.