FirstBlood-#912 — DOM xss found on management portal
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-30, vishal Level 2 reported:
Discription:stored xss in message left at the time of cancelation of appointment.
Steps to Reproduce:
visit /book-appointment.php & create an apointment.
copy appointment id you will recieve.
visit /yourappointments.php and using your appointment id retrieve appointment.
now click on modify appointment and capture request in proxy & send it to repeater tab.
Now you will need to make some changes into request add message=';alert(document.cookie)' in request as below .
Now All you need to do is reload step 4 web page.
All done you should probably get stored xss popup just as me on this page .
In any case if something is missing Just let me know - Vishal
FirstBlood ID: 22
Vulnerability Type: Stored XSS