FirstBlood-#120Stored XSS on /drpanel/drapi/query.php?aptid
This issue was discovered on FirstBlood v1

On 2021-05-10, iffu Level 5 reported:

Hi zseano


I have found a Stored XSS vulnerability on /drpanel/drapi/query.php.

When a user wants to request for appointment, he needs to give his details and book appointment on But the input given to this page is reflected on the admin dashboard on /drpanel/drapi/query.php.

Steps to reproduce

  • Insert an XSS payload in the firstname and/or lastname of the appointment form on

  • When the admin visits /drpanel/drapi/query.php?aptid={{your_aptid_here}, he will be popped with an alert box indicating XSS payload has fired successfully.

ZSEANO, I can't thank you enough for making this platform so wonderful that learning has become a great joy with an awesome community which comes to help when needed

P2 High

Endpoint: /drpanel/drapi/query.php

Parameter: ***

Payload: <script>confirm`1`</script>

FirstBlood ID: 10
Vulnerability Type: Stored XSS

When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name