FirstBlood-#456 — [COLLAB with isitbug] Stored XSS via cancelled appointment's message that executes on doctors
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, shreky reported:
Same bug as last time again,via a cancelled appointment's message it's possible to exploit a Stored XSS that fires on /drpanel/cancelled.php when accessed by admins/doctors.
Steps to reproduce
- Make an appointment
- Cancel it and intercept the request,and add
&message="><svg/onload=confirm`1`>in the POST param and Send It should look like this:
- Now,as a doctor,go to Cancelled appointments from the dashboard
- XSS will execute
Stored XSS that affects any doctor/admin that accesses /drpanel/cancelled.php.
FirstBlood ID: 22
Vulnerability Type: Stored XSS