Wowjoy Internet Doctor Workstation System Improper Authorization Vulnerability

A vulnerability allowing improper authorization has been identified in Wowjoy's Internet Doctor Workstation System version 1.0. This issue arises from an unknown processing flaw in the file '/v1/prescription/details/', which can be exploited remotely. The vulnerability has been publicly disclosed and can be used to unauthorizedly access and leak sensitive user information, including names, ID card details, phone numbers, and medical conditions.

Impact

Exploitation of this vulnerability leads to unauthorized access and disclosure of personal user information, such as names, ID card numbers, phone numbers, and medical conditions.

Reproduction

To reproduce this vulnerability, first access the '/ms-pocket-hospital/v1/pushConfig/detail/' endpoint to retrieve the 'hospitalId' value. Then, send a POST request to the '/ms-hoc-online-prescription/v1/prescription/list' endpoint, including the 'hospitalId' to obtain the 'prescriptionId'. Finally, use the 'prescriptionId' to access the '/v1/prescription/details/' endpoint, which will return the leaked personal information.