Lucene search
LiteshghuteDD7C04A7-A984-4387-9AC4-24596E7ECE44HistoryApr 13, 2023 - 3:38 p.m.
Stored XSS
2023-04-1315:38:28
liteshghute
www.huntr.dev
13
stored xss
easy appointments
user input
javascript code execution
bug bounty
EPSS
0.001
Percentile
34.5%
Description
Stored XSS attack is possible.
Proof of Concept
Step 1: Go to the login URL https://demo.easyappointments.org/index.php/user/login and login as an admin.
Step 2: Click on Users tab and then click onAdd button to create a new user with the following credentials.
Credentials:
First Name: <script>alert("XSS")</script>
Username: <script>alert("XSS")</script>
Last Name: <script>alert("XSS")</script>
Password: P@ssword123
Email: [email protected]
Phone Number: 1234
Now, click on Save button, to add the user.
Step 3: Now, logout as administrator and login with the new user credentials we created above.
Credentials:
Username: <script>alert("XSS")</script>
Password: P@ssword123
Step 4: After logging in you will see alert boxes will start appearing.
POC worked! We are able to execute the JavaScript code.
Related
osv
osv
CVE-2023-2102
2023-04-15 13:15:45
alextselegidis/easyappointments vulnerable to Stored Cross-site Scripting
2023-04-15 15:30:15
github
github
alextselegidis/easyappointments vulnerable to Stored Cross-site Scripting
2023-04-15 15:30:15
prion
prion
Cross site scripting
2023-04-15 13:15:00
veracode
veracode
Cross-Site Scripting (XSS)
2023-05-19 09:33:40
cvelist
cvelist
gitlab
gitlab
cve
cve
CVE-2023-2102
2023-04-15 13:15:45
nvd
nvd
CVE-2023-2102
2023-04-15 13:15:45