Description
Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.
Problem types
Exposure of Private Personal Information to an Unauthorized Actor
Product status
Any version
Credits
George Chen
References
github.com/HiEventsDev/Hi.Events/issues/1224
github.com/HiEventsDev/Hi.Events/issues/1224 (Researcher Disclosure)
github.com/HiEventsDev/Hi.Events/pull/1229 (Pull Request)
www.vulncheck.com/...pii-exposure-via-check-in-list-short-id