FirstBlood-#854 — Stored XSS in cancelled appointment
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-29, twsec Level 2 reported:
there's a stored XSS vulnerability in cancelled patient's appointment
- Create an appointment then go to manage appointment and press cancel, before that intercept the request in burp and do the following:
add to the post body, message="><script>alert(document.cookie)</script>&id=...
- forward or send the request and while logged in as drAdmin goto cancelled appointments
and a pop up will be revealed with the cookie values
- check the source code for the page just to check how it executed.
message left from patient
FirstBlood ID: 22
Vulnerability Type: Stored XSS