FirstBlood-#1710 — Stored xss in doctors photo on meet drs.php
This issue was discovered on FirstBlood v3
On 2022-12-14, didsec Level 5 reported:
I have discovered a stored XSS vulnerability affecting the doctors photo on meet_drs.php
/x" onerror=alert(document.domain) xss="
- Login to the
drpaneland pick a doctor to modify
- Make any modifications you would like
Save informationand intercept the request
&photoUrl=/x" onerror=alert(document.domain) xss="to the data and forward the request
firstbloodhackers.com/meet_drs.phpand the xss will execute
- The attacker could steal a user's cookies.
- The attacker can steal data from whoever views the page.
FirstBlood ID: 64
Vulnerability Type: Stored XSS
There is a stored XSS vulnerability on meet_drs.php from the photo of the doctor