FirstBlood-#865 — Stored XSS on Cancel Appointment Message.
This issue was discovered on FirstBlood v2
On 2021-10-29, th4nu0x0 Level 2 reported:
- When a user cancels an appointment by adding a message with the request the message can be read by admin on
- Since the cookies are not set to HTTPonly I was able to capture the cookie's remotely when admin visits the /cancelled.php.
Steps To Reproduce:
Create appointment and copy the ID
On appointment management page enter the id.
Cancel Appointmentand capture the request
On body add message parameter and set it to
test"><img%20src=x%20onerror=alert(document.domain)>and forward the request
Now using your admin account visit https://firstbloodhackers.com/drpanel/cancelled.php
Account takeover of higher privilege users ( Admin, Doctors)
FirstBlood ID: 22
Vulnerability Type: Stored XSS