LeakIX - Host vantagem.plus

Domain vantagem.plus

Portugal

Vodafone Portugal - Communicacoes Pessoais S.A.

Software information

Microsoft-IIS 10.0

tcp/443 tcp/80

Swagger API description is publicly available

Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.

Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.

While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.

IP: 148.69.165.159
Domain: connect-staging.vantagem.plus
Port: 443
URL: https://connect-staging.vantagem.plus

First seen 2025-12-08 13:38
Last seen 2026-01-16 16:33
Open for 39 days

Severity: info
Fingerprint: 5733ddf49ff49cd1aad0354911861931f5a5c01e6812a0d8000e346770715f48

Public Swagger UI/API detected at path: /swagger/index.html - sample paths:
GET /api/Authentication/CreateToken
GET /api/Authentication/GetCard/{id}
GET /api/Authentication/GetCards
GET /api/Authentication/GetDependentCards
GET /api/Authentication/readProfile
GET /api/Beneficiary
GET /api/ClaimExpenses/CountApproved
GET /api/ClaimExpenses/CountApprovedByApprovalDate
GET /api/ClaimExpenses/CountApprovedByPaymentEmmissionDate
GET /api/ClaimExpenses/CountPayed
GET /api/ClaimExpenses/GetApproved
GET /api/ClaimExpenses/GetApprovedByApprovalDate
GET /api/ClaimExpenses/GetApprovedByPaymentEmissionDate
GET /api/ClaimExpenses/GetAsClient
GET /api/ClaimExpenses/GetDependentRefunds
GET /api/ClaimExpenses/GetPayed
GET /api/ClaimExpenses/GetRefunds
GET /api/ClaimExpenses/ReadPlafondSpent
GET /api/Client
GET /api/Client/GetByBI
GET /api/Client/GetByNIF
GET /api/Client/GetByTelephone
GET /api/Client/{id}
GET /api/Coverage/GetAsClient
GET /api/CoverageStandard
GET /api/CoverageStandard/{id}
GET /api/Dropdown/GetActivePolicies
GET /api/Dropdown/GetActivePolicyDependents
GET /api/Dropdown/GetClinics
GET /api/Dropdown/GetInsurers
GET /api/Dropdown/GetMedicalSpecialties
GET /api/Dropdown/GetVideoConsultationReasons
GET /api/Dropdown/getDiagnostics
GET /api/Dropdown/getMedicalProcedures/{networkId}
GET /api/Dropdown/getMedicalProceduresAuthorization
GET /api/Dropdown/getMedicalProceduresAuthorizationCount
GET /api/Payment
GET /api/Plan/GetPolicyPlans
GET /api/Plan/GetProductPlans
GET /api/Plan/{id}
GET /api/Policy
GET /api/Policy/{id}
GET /api/Product
GET /api/Product/{id}
GET /api/Provider
GET /api/Provider/GetAll
GET /api/Provider/GetByNIF
GET /api/Provider/GetClinicsByIds
GET /api/Provider/{id}
POST /api/Authentication/ChangePassword
POST /api/Authentication/Logout
POST /api/Authentication/authenticate
POST /api/Authentication/forgotpassword
POST /api/Beneficiary/SynchronizeBeneficiaries
POST /api/ClaimExpenses/BulkUpload
POST /api/ClaimExpenses/RefundRequest
POST /api/Messaging/SendProviderWelcomeLetter
POST /api/Payment/SynchronizePayments
POST /api/VideoConsultation/SendVideoConsultationRequest

Found on 2026-01-16 16:33

Create report

Swagger API description is publicly available

Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.

Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.

While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.

IP: 20.126.135.158
Domain: connect.vantagem.plus
Port: 443
URL: https://connect.vantagem.plus

First seen 2025-11-09 08:03
Last seen 2026-02-02 06:17
Open for 84 days

Severity: info
Fingerprint: 5733ddf49ff49cd1aad0354911861931f5a5c01e6812a0d8000e346770715f48

Public Swagger UI/API detected at path: /swagger/index.html - sample paths:
GET /api/Authentication/CreateToken
GET /api/Authentication/GetCard/{id}
GET /api/Authentication/GetCards
GET /api/Authentication/GetDependentCards
GET /api/Authentication/readProfile
GET /api/Beneficiary
GET /api/ClaimExpenses/CountApproved
GET /api/ClaimExpenses/CountApprovedByApprovalDate
GET /api/ClaimExpenses/CountApprovedByPaymentEmmissionDate
GET /api/ClaimExpenses/CountPayed
GET /api/ClaimExpenses/GetApproved
GET /api/ClaimExpenses/GetApprovedByApprovalDate
GET /api/ClaimExpenses/GetApprovedByPaymentEmissionDate
GET /api/ClaimExpenses/GetAsClient
GET /api/ClaimExpenses/GetDependentRefunds
GET /api/ClaimExpenses/GetPayed
GET /api/ClaimExpenses/GetRefunds
GET /api/ClaimExpenses/ReadPlafondSpent
GET /api/Client
GET /api/Client/GetByBI
GET /api/Client/GetByNIF
GET /api/Client/GetByTelephone
GET /api/Client/{id}
GET /api/Coverage/GetAsClient
GET /api/CoverageStandard
GET /api/CoverageStandard/{id}
GET /api/Dropdown/GetActivePolicies
GET /api/Dropdown/GetActivePolicyDependents
GET /api/Dropdown/GetClinics
GET /api/Dropdown/GetInsurers
GET /api/Dropdown/GetMedicalSpecialties
GET /api/Dropdown/GetVideoConsultationReasons
GET /api/Dropdown/getDiagnostics
GET /api/Dropdown/getMedicalProcedures/{networkId}
GET /api/Dropdown/getMedicalProceduresAuthorization
GET /api/Dropdown/getMedicalProceduresAuthorizationCount
GET /api/Payment
GET /api/Plan/GetPolicyPlans
GET /api/Plan/GetProductPlans
GET /api/Plan/{id}
GET /api/Policy
GET /api/Policy/{id}
GET /api/Product
GET /api/Product/{id}
GET /api/Provider
GET /api/Provider/GetAll
GET /api/Provider/GetByNIF
GET /api/Provider/GetClinicsByIds
GET /api/Provider/{id}
POST /api/Authentication/ChangePassword
POST /api/Authentication/Logout
POST /api/Authentication/authenticate
POST /api/Authentication/forgotpassword
POST /api/Beneficiary/SynchronizeBeneficiaries
POST /api/ClaimExpenses/BulkUpload
POST /api/ClaimExpenses/RefundRequest
POST /api/Messaging/SendProviderWelcomeLetter
POST /api/Payment/SynchronizePayments
POST /api/VideoConsultation/SendVideoConsultationRequest

Found on 2026-02-02 06:17

Create report

Git configuration and history exposed

The following URL (usually /.git/config) is publicly accessible and is leaking source code and repository configuration.

IP: 13.89.172.4
Domain: vantagem.plus
Port: 443
URL: https://vantagem.plus

First seen 2022-06-20 10:39
Last seen 2024-09-18 19:51
Open for 821 days
- Severity: medium
  Fingerprint: 2580fa947178c88602b1737db148c044baa2727ab8135b5bbc521bbb3ad39a5a
```
[core]
	repositoryformatversion = 0
	filemode = false
	bare = false
	logallrefupdates = true
	ignorecase = true
[remote "origin"]
	url = https://github.com/azureappserviceoss/wordpress-azure
	fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
	remote = origin
	merge = refs/heads/master
[branch "linux-appservice"]
	remote = origin
	merge = refs/heads/linux-appservice
```
  Found on 2024-09-18 19:51
  
  380 Bytes
Create report
Swagger API description is publicly available

Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.

Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.

While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.

IP: 148.69.165.159
Domain: api.suporte.vantagem.plus
Port: 443
URL: https://api.suporte.vantagem.plus

First seen 2025-11-28 11:28
Last seen 2026-02-02 06:49
Open for 65 days
- Severity: info
  Fingerprint: 5733ddf49ff49cd12ec8532c2ec8532c2ec8532c2ec8532c2ec8532c2ec8532c
```
Public Swagger UI/API detected at path: /swagger/index.html
```
  Found on 2026-02-02 06:49
Create report
Git configuration and history exposed

The following URL (usually /.git/config) is publicly accessible and is leaking source code and repository configuration.

IP: 13.89.172.4
Domain: www.vantagem.plus
Port: 443
URL: https://www.vantagem.plus

First seen 2022-09-19 15:42
Last seen 2024-09-18 17:05
Open for 730 days
- Severity: medium
  Fingerprint: 2580fa947178c88602b1737db148c044baa2727ab8135b5bbc521bbb3ad39a5a
```
[core]
	repositoryformatversion = 0
	filemode = false
	bare = false
	logallrefupdates = true
	ignorecase = true
[remote "origin"]
	url = https://github.com/azureappserviceoss/wordpress-azure
	fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
	remote = origin
	merge = refs/heads/master
[branch "linux-appservice"]
	remote = origin
	merge = refs/heads/linux-appservice
```
  Found on 2024-09-18 17:05
  
  380 Bytes
Create report

Open service 148.69.165.159:443 · vantagem.plus

2026-01-23 06:22

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/8.3.11
X-UA-Compatible: IE=edge
Link: <https://vantagem.plus/wp-json/>; rel="https://api.w.org/"
Link: <https://vantagem.plus/wp-json/wp/v2/pages/8>; rel="alternate"; title="JSON"; type="application/json"
Link: <https://vantagem.plus/>; rel=shortlink
X-Powered-By: ASP.NET
Date: Fri, 23 Jan 2026 06:22:36 GMT
Connection: close
Content-Length: 114740

Page title: Vantagem Plus

<!DOCTYPE html>
<html class="html" lang="en-US">
<head>
	<meta charset="UTF-8">
	<link rel="profile" href="https://gmpg.org/xfn/11">

	<title>Vantagem Plus</title>
<meta name='robots' content='max-image-preview:large' />
<meta name="viewport" content="width=device-width, initial-scale=1"><link rel='dns-prefetch' href='//fonts.googleapis.com' />
<link rel="alternate" type="application/rss+xml" title="Vantagem Plus &raquo; Feed" href="https://vantagem.plus/feed/" />
<link rel="alternate" type="application/rss+xml" title="Vantagem Plus &raquo; Comments Feed" href="https://vantagem.plus/comments/feed/" />
<script>
window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/vantagem.plus\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.4"}};
/*! This file is auto-generated */
!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings);
</script>
<style id='wp-emoji-styles-inline-css'>

	img.wp-smiley, img.emoji {
		display: inline !important;
		border: none !important;
		box-shadow: none !important;
		height: 1em !important;
		width: 1em !important;
		margin: 0 0.07em !important;
		ver

Found 2026-01-23 by HttpPlugin

Domain vantagem.plus

Portugal

Software information

Swagger API description is publicly available

Swagger API description is publicly available

Git configuration and history exposed

Swagger API description is publicly available

Git configuration and history exposed

vantagem.plus

api.suporte.vantagem.plus

connect.vantagem.plus

suporte.vantagem.plus

bo.vantagem.plus

connect-staging.vantagem.plus

api.suporte.vantagem.plus

provider-staging.vantagem.plus

bo-staging.vantagem.plus

connect.vantagem.plus

connect-staging.vantagem.plus

Domain summary

IP summary