DavaIndiaβs Next.js-based platform had an exposed admin subdomain that allowed unauthenticated access to super-admin APIs, which a security researcher exploited to create a super-admin account. The vulnerability exposed customer orders, personal data, inventory and drug-control functions, was reported on August 20, 2025, fixed within a month, and confirmed closed with CERT-In on November 28, 2025. #DavaIndia #EatonZveare
Keypoints
- Security researcher Eaton Zveare discovered an exposed admin subdomain with unauthenticated super-admin APIs.
- By crafting a POST request, the researcher created a new super-admin account and gained full platform control.
- Attackers could view and edit stores, pharmacist details, customer orders, personal data, products, inventory, and coupons.
- Prescription requirement toggles could be bypassed, posing risks to drug controls and patient safety.
- The flaw was reported on August 20, 2025, patched within a month, and the case was confirmed closed on November 28, 2025.