Stored XSS vulnerability in /patients/reports.php?id={Report ID}

[Saud-Ahmad]

Stored XSS vulnerability in Version 2.0 which allows remote attacker to inject arbitrary script or html. This being stored, will impact all users who have permissions to view the vulnerable page.

Vulnerable Endpoint: http://localhost/RemoteClinic/patients/reports.php?id=85 (In my case, 85 is My Patient Report ID).

Steps to Reproduce:

1) Login in Application as Doctor. 2) Register New Patient.

3) After Register New Patient, a page redirect to Register Report Page, when you scroll down page two fields there "Fever" and "Blood Pressure" where i inject XSS Payload:

4) Now go to home page.

5) Click on Report which shows on dashboard "Fever...".

6) XSS Executed on reports.php endpoint.

[Saud-Ahmad]

CVE-ID assigned for above vulnerability https://nvd.nist.gov/vuln/detail/CVE-2021-30039 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30039

[Saud-Ahmad]

Exploit has been Published by Exploit-DB https://www.exploit-db.com/exploits/49795