Are there any vulnerabilities?

Hi all.

I have a doubt I would want you to please help me with. I need to know whether an issue in a system could be regarded as a vulnerability.

Certain open endpoint (which is open in the sense it does not require authentication of any kind) answers, given a document type and a document number, with data from the user as his/her email, phone number, full name, work and residential addresses, and affiliation status with respect to the business of the client.

The main facts about this endpoint are:

• One can enumerate users and, by extension, no measure against brute force is made.
• The endpoint’s performace decreases as the number of concurrent users/requests increase. The whole server even crashes with a small (<100) number of requests. The application desires to service any Internet user.
• The data from the users is not taken from a public/government database, given that when known (real) documents are searched for, they seem to be missing.

Are there vulnerabilities? If we can say so, which finding(s) would you use to describe them?

Thanks in advance.

If the endpoint is listed on the resources of the project, then the findings will be:

FIN.S.0026 User Enumeration (only if from the retrieved data exist a valid user)
FIN.S.0003. Simetric DoS (the best is to talk with PM before trying this)
FIN.S.0038 Buisness information leakage (people information)

The endpoint is not listed on the project’s resources, but is queried directly by an official, listed endpoint on the resources list. Does it count?

If a listed resource refers/use non listed resources/endpoints then they become targets of evaluation since it depends on it.
However, if the endpoint is from a third party it should not be tested and only indicated as with FIN.S. 0011