FirstBlood-#849Stored XSS in manageappointment.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)

On 2021-10-29, twsec Level 2 reported:

after creating an appointment we click on manage appointment modify the message in extra comments

and then view the page source and check the script tags and you'll find this:

this is from the page source now the page shows the following:

the payload is alert(document.cookie), an attacker can send this cookie to his server and grab the cookie and login as that user

P2 High

Endpoint: manageappointment.php

Parameter: message

Payload: '-alert(document.cookie)-'

FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.