Stored XSS vulnerability in /clinics/profile.php?id={Clinic ID}

[Saud-Ahmad]

Stored XSS vulnerability in Version 2.0 which allows remote attacker to inject arbitrary script or html. This being stored, will impact all users who have permissions to view the vulnerable page.

Vulnerable Endpoint: http://localhost/RemoteClinic/clinics/profile.php?id=32 (in my case, 32 is Clinic ID).

Step To Reproduce:

1) Login in Application as Doctor. 2) When you scroll down the main dashboard page, there is clinics options, Click "New Clinic".

3) Here is four fields vulnerable for XSS /clinics/profile.php?id={Clinic ID} endpoint, "Clinic Name", "Clinic Address", "Clinic City" and "Clinic Contact", Inject XSS Payload in "Clinic Name", "Clinic Address", "Clinic City" and "Clinic Contact".

4) Click on "Register". 5) Now Click on "Clinics Directory".

6) After click on "Clinics Directory", you direct to /clinics/ endpoint where clinics directory show. Click on Clinic where XSS name show.

7) XSS Executed on /clinics/profile.php?id={Clinic ID} endpoint.

[Saud-Ahmad]

CVE-ID assigned for above vulnerability https://nvd.nist.gov/vuln/detail/CVE-2021-30042 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30042

[Saud-Ahmad]

Exploit has been Published by Exploit-DB https://www.exploit-db.com/exploits/49795