Reported on

Apr 13th 2023


Stored XSS attack is possible.

Proof of Concept

Step 1: Go to the login URL and login as an admin.

Step 2: Click on Users tab and then click on Add button to create a new user with the following credentials.


First Name: <script>alert("XSS")</script>
Username: <script>alert("XSS")</script>
Last Name: <script>alert("XSS")</script>
Password: P@ssword123
Phone Number: 1234

Now, click on Save button, to add the user.

Step 3: Now, logout as administrator and login with the new user credentials we created above.


Username: <script>alert("XSS")</script>
Password: P@ssword123

Step 4: After logging in you will see alert boxes will start appearing.

POC worked! We are able to execute the JavaScript code.


An attacker can perform javascript injections on victim browser that will lead to cookie stealing, installing javascript malware and keyloggers, performing remote actions etc.

We are processing your report and will contact the alextselegidis/easyappointments team within 24 hours. 8 months ago
Litesh Ghute
8 months ago


Please verify it and assign it a CVE :)

We have contacted a member of the alextselegidis/easyappointments team and are waiting to hear back 8 months ago
alextselegidis/easyappointments maintainer has acknowledged this report 8 months ago
Alex Tselegidis validated this vulnerability 8 months ago
Litesh Ghute has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Tselegidis marked this as fixed in 1.5.0 with commit bddc5c 8 months ago
Alex Tselegidis has been awarded the fix bounty
This vulnerability has been assigned a CVE
Alex Tselegidis published this vulnerability 8 months ago
to join this conversation