FirstBlood-#650Stored XSS when cancelling an appointement triggered in doctor panel
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, neolex Level 2 reported:

Description

The is a stored XSS when cancelling an appointement triggered in doctor panel. An attacker can add the parameter "message" when cancelling an appointement and this one is reflected without encoding on doctor panel

Step to reproduce

Fix

You should html encode the following character : ><

Impact

An attacker can execute javascript inside doctor's browsing, meaning they can steal cookies without any user interaction

P2 High

Endpoint: /api/ma.php

Parameter: message

Payload: "><svg onload=alert(document.cookie) >


FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.