FirstBlood-#1710Stored xss in doctors photo on meet drs.php
This issue was discovered on FirstBlood v3

On 2022-12-14, didsec Level 5 reported:

I have discovered a stored XSS vulnerability affecting the doctors photo on meet_drs.php


/x" onerror=alert(document.domain) xss="

To reproduce:

  1. Login to the drpanel and pick a doctor to modify
  2. Make any modifications you would like
  3. Click Save information and intercept the request
  4. Add &photoUrl=/x" onerror=alert(document.domain) xss=" to the data and forward the request

  1. Visit and the xss will execute


  1. The attacker could steal a user's cookies.
  2. The attacker can steal data from whoever views the page.
  3. Users can execute arbitrary JavaScript code in the context of other users.

P2 High

FirstBlood ID: 64
Vulnerability Type: Stored XSS

There is a stored XSS vulnerability on meet_drs.php from the photo of the doctor