remoteclinic / RemoteClinic

Open Source Clinic Management System
https://remoteclinic.io
Other
81 stars 55 forks source link

Stored XSS vulnerability in /patients/reports.php?id={Report ID} #8

Open Saud-Ahmad opened 3 years ago

Saud-Ahmad commented 3 years ago

Stored XSS vulnerability in Version 2.0 which allows remote attacker to inject arbitrary script or html. This being stored, will impact all users who have permissions to view the vulnerable page.

Vulnerable Endpoint: http://localhost/RemoteClinic/patients/reports.php?id=85 (In my case, 85 is My Patient Report ID).

Steps to Reproduce:

1) Login in Application as Doctor. 2) Register New Patient.

1_edited

issue4_1

3) After Register New Patient, a page redirect to Register Report Page, when you scroll down page two fields there "Fever" and "Blood Pressure" where i inject XSS Payload: Capture1

issue4_2

4) Now go to home page.

issue4_3

5) Click on Report which shows on dashboard "Fever...".

issue5_1

6) XSS Executed on reports.php endpoint.

issue5_2

Saud-Ahmad commented 3 years ago

CVE-ID assigned for above vulnerability https://nvd.nist.gov/vuln/detail/CVE-2021-30039 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30039

Saud-Ahmad commented 3 years ago

Exploit has been Published by Exploit-DB https://www.exploit-db.com/exploits/49795