FirstBlood-#463 — Cancelled Appintments is still vulnerable to Stored XSS
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, kinako reported:
Dear FirstBlood security team, I found a vulnerability on your service. I hope this report will help you.
There used to be reported Stored XSS on
/drpanel/cancelled.phpendpoint in FirstBlood v1, and I confirm that vulnerability still exists in FirstBlood v2.
First of all, we can cancel our own appointment in
When cancelling, we can add
messageparameter to leave a message to doctors like this:
And this message param will be reflected like this in admin panel:
Thanks to firstblood v1 report, I know this functionality is vulnerable to Stored XSS and I tested again.
I used this payload:
Unfortunately, this Stored XSS bug is still alive.
- firstblood v2 has no HttpOnly flag in session cookie, so the attackers can steal admin account's session cookie and perform ATO(Account TakeOver)
FirstBlood ID: 22
Vulnerability Type: Stored XSS