NOSH ChartingSystem is an electronic health record system designed exclusively for doctors and patients. This is a new mobile-friendly version that is now based off of the Laravel PHP framework and jQuery. NOSH has FHIR, Bluebutton, ICD-10, GoodRX API, RXNorm API, Phaxio, and UMA support.
A stored Cross Site Scripting found in create user functionality. To exploit it we must create a user a pass the payload below as the first name
Then we save the user and navigate back to the main users panel. As we can see the xss payload is getting executed.
You can prevent the above vulnerabilty by filtering user input and encode it when it gets reflected to a page. https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html https://portswigger.net/web-security/cross-site-scripting#stored-cross-site-scripting
I made a public gist for the issue above: https://gist.github.com/abbisQQ/e0967d5b8355087c8e224bdd1ace3bf3