Doctor Appointment System 1.0 Cross Site Scripting ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on February 27th, 2021 📆 | 8084 Views ⚑

0

Doctor Appointment System 1.0 Cross Site Scripting ≈ Packet Storm

# Exploit Title: Doctor Appointment System 1.0 – Reflected POST based Cross Site Scripting (XSS) in comment parameter
# Date: 26-02-2021
# CVE: CVE-2021-27317
# Exploit Author: Soham Bakore
# Vendor Homepage: https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
# Software Link: https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
# Version: V1.0

Vulnerable File:
—————-
http://host/doctorappointment/contactus.php

Vulnerable Issue:
—————–
comment parameter has no input validation

POC:
—-
1] Navigate to http://host/doctorappointment/contactus.php
2] In the comment parameter enter following payload to execute arbitrary
javascript code : ‘
3] This can be used to steal cookies or perform phishing attacks on the web
application
——————

# Exploit Title: Doctor Appointment System 1.0 – Reflected POST based Cross Site Scripting (XSS) in lastname parameter
# Date: 26-02-2021
# CVE: CVE-2021-27318
# Exploit Author: Soham Bakore
# Vendor Homepage: https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
# Software Link: https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
# Version: V1.0

Vulnerable File:
—————-
http://host/doctorappointment/contactus.php

Vulnerable Issue:
—————–
lastname parameter has no input validation

POC:
—-
1] Navigate to http://host/doctorappointment/contactus.php
2] In the lastname parameter enter following payload to execute arbitrary
javascript code : ‘
3] This can be used to steal cookies or perform phishing attacks on the web
application

Source link

Tagged with:



Leave a Reply