FirstBlood-#673 — [Unpatched] Stored XSS still working on admin's cancelled report panel
This issue was discovered on FirstBlood v2
On 2021-10-27, d20s84 Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi again an again sean :p . Hope you and your family are all well !! I found a stored XSS. More about it down below :)
Summary:
This is an unpatched vulnerability. Bascially I was able to inject javaScript that would lead to Stored Cross Site Scripting
Impact:
Very Devastating!! If this attack is more escalated than what is in here it could lead to account takeover.
How?
- I Booked an appointment on /book-appointment.php.
- Then i went to manage my appointment on yourappointments.php. Used my previously generated id.
- Then i clicked on Cancel Button and intercepted the Request in Burp. I added an extra message={payload} parameter in the request.
- On viewing the request from the admin panel the javascript payload triggered .
P2 High
Endpoint: source=/api/ma.php,sink=/drpanel/cancelled.php#
Parameter: message=
Payload: "><script>alert("unpatched")</script>
FirstBlood ID: 22
Vulnerability Type: Stored XSS
Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.