FirstBlood-#498 — Stored XSS on /drpanel/cancelled.php can lead to admin account takeover
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, shivam18u Level 3 reported:
I found a stored XSS on /drpanel/cancelled.php which can lead to admin account takeover.
While cancelling an appointment, the message parameter is not sanitized. We can send out payload and trigger the xss on an admin account.
Steps to reproduce:
1) Create an appointment and then visit the manage appointment page with the appointment id.
2) Start the burp intercept and click on cancel appointment on browser.
3) In the burp intercept, modify the request body and add a
messageparameter with payload
"><script>alert(document.cookie)</script>. Send the request.
Have a nice day!
FirstBlood ID: 22
Vulnerability Type: Stored XSS