FirstBlood-#189 — Stored Cross site scripting
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-11, d20s84 reported:
Summary: Stored Xss can be triggered on the drAdmin panel while accessing /drpanel/cancelled.php#.
Source of injection : /api/ma.php
Sink of injection : /drpanel/cancelled.php#
- Register an appointment by filling in all the required credentials.
- Now, Click on the Manage appointment icon.
- Click on Cancel appointment and capture the request.
- Add message parameter in the body section as shown in the figure below [Consider the Note: section].
- Forward the request.
- Hover the mouse on the patient's name in the /drpanel/cancelled.php endpoint.
- Open the console log and boom the payload has been logged as an array.
Malicious attacker can steal the cookie and perform other malicious activities on the admin panel.
The extra embedded message parmeter in the body section of the request
This report has been publicly disclosed for everyone to view
FirstBlood ID: 8
Vulnerability Type: Stored XSS
When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors
Respect Earnt: 2000000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.