Stored XSS in alextselegidis/easyappointments

Valid

Reported on

Apr 13th 2023

Description

Stored XSS attack is possible.

Proof of Concept

Step 1: Go to the login URL https://demo.easyappointments.org/index.php/user/login and login as an admin.

Step 2: Click on Users tab and then click on Add button to create a new user with the following credentials.

Credentials:

First Name: <script>alert("XSS")</script>
Username: <script>alert("XSS")</script>
Last Name: <script>alert("XSS")</script>
Password: P@ssword123
Email: demo@demo.com
Phone Number: 1234

Now, click on Save button, to add the user.

Step 3: Now, logout as administrator and login with the new user credentials we created above.

Credentials:

Username: <script>alert("XSS")</script>
Password: P@ssword123

Step 4: After logging in you will see alert boxes will start appearing.

POC worked! We are able to execute the JavaScript code.

Impact

An attacker can perform javascript injections on victim browser that will lead to cookie stealing, installing javascript malware and keyloggers, performing remote actions etc.

We are processing your report and will contact the alextselegidis/easyappointments team within 24 hours. 8 months ago

Litesh Ghute

commented 8 months ago

Researcher

Please verify it and assign it a CVE :)

We have contacted a member of the alextselegidis/easyappointments team and are waiting to hear back 8 months ago

A alextselegidis/easyappointments maintainer has acknowledged this report 8 months ago

Alex Tselegidis validated this vulnerability 8 months ago

Litesh Ghute has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Alex Tselegidis marked this as fixed in 1.5.0 with commit bddc5c 8 months ago

Alex Tselegidis has been awarded the fix bounty

This vulnerability has been assigned a CVE

Alex Tselegidis published this vulnerability 8 months ago

to join this conversation