Stored XSS attack is possible.
Step 1: Go to the login URL https://demo.easyappointments.org/index.php/user/login
and login as an admin.
Step 2: Click on Users tab and then click onAdd button to create a new user with the following credentials.
Credentials:
First Name: <script>alert("XSS")</script>
Username: <script>alert("XSS")</script>
Last Name: <script>alert("XSS")</script>
Password: P@ssword123
Email: [email protected]
Phone Number: 1234
Now, click on Save button, to add the user.
Step 3: Now, logout as administrator and login with the new user credentials we created above.
Credentials:
Username: <script>alert("XSS")</script>
Password: P@ssword123
Step 4: After logging in you will see alert boxes will start appearing.
POC worked! We are able to execute the JavaScript code.