FirstBlood-#650Stored XSS when cancelling an appointement triggered in doctor panel
This issue was discovered on FirstBlood v2

On 2021-10-27, neolex Level 2 reported:


The is a stored XSS when cancelling an appointement triggered in doctor panel. An attacker can add the parameter "message" when cancelling an appointement and this one is reflected without encoding on doctor panel

Step to reproduce


You should html encode the following character : ><


An attacker can execute javascript inside doctor's browsing, meaning they can steal cookies without any user interaction

P2 High

Endpoint: /api/ma.php

Parameter: message

Payload: "><svg onload=alert(document.cookie) >

FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.