Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormSoham BakorePACKETSTORM:161574
HistoryFeb 26, 2021 - 12:00 a.m.

Doctor Appointment System 1.0 Cross Site Scripting

2021-02-2600:00:00
Soham Bakore
packetstormsecurity.com
142
exploit
cross site scripting
input validation
vulnerable file
poc
cve-2021-27317
cve-2021-27318
web application
cookie theft
phishing

EPSS

0.002

Percentile

57.7%

JSON
`# Exploit Title: Doctor Appointment System 1.0 - Reflected POST based Cross Site Scripting (XSS) in comment parameter  
# Date: 26-02-2021  
# CVE: CVE-2021-27317  
# Exploit Author: Soham Bakore  
# Vendor Homepage: https://www.sourcecodester.com/php/14182/doctor-appointment-system.html  
# Software Link: https://www.sourcecodester.com/php/14182/doctor-appointment-system.html  
# Version: V1.0  
  
Vulnerable File:  
----------------  
http://host/doctorappointment/contactus.php  
<http://host/patient/search_result.php>  
  
Vulnerable Issue:  
-----------------  
comment parameter has no input validation  
  
POC:  
----  
1] Navigate to http://host/doctorappointment/contactus.php  
2] In the comment parameter enter following payload to execute arbitrary  
javascript code : '</script><svg/onload=alert(document.cookie)>  
3] This can be used to steal cookies or perform phishing attacks on the web  
application  
------------------  
  
# Exploit Title: Doctor Appointment System 1.0 - Reflected POST based Cross Site Scripting (XSS) in lastname parameter  
# Date: 26-02-2021  
# CVE: CVE-2021-27318  
# Exploit Author: Soham Bakore  
# Vendor Homepage: https://www.sourcecodester.com/php/14182/doctor-appointment-system.html  
# Software Link: https://www.sourcecodester.com/php/14182/doctor-appointment-system.html  
# Version: V1.0  
  
Vulnerable File:  
----------------  
http://host/doctorappointment/contactus.php  
<http://host/patient/search_result.php>  
  
Vulnerable Issue:  
-----------------  
lastname parameter has no input validation  
  
POC:  
----  
1] Navigate to http://host/doctorappointment/contactus.php  
2] In the lastname parameter enter following payload to execute arbitrary  
javascript code : '</script><svg/onload=alert(document.cookie)>  
3] This can be used to steal cookies or perform phishing attacks on the web  
application  
`

Related

zdt 1
cvelist 2
cve 2
prion 2
nvd 2
zdt
zdt
Doctor Appointment System 1.0 Cross Site Scripting Vulnerability
2021-02-26 00:00:00
cvelist
cvelist
CVE-2021-27318
2021-03-01 20:14:14
CVE-2021-27317
2021-03-01 20:16:34
cve
cve
CVE-2021-27317
2021-03-01 21:15:14
CVE-2021-27318
2021-03-01 21:15:14
prion
prion
Cross site scripting
2021-03-01 21:15:00
Cross site scripting
2021-03-01 21:15:00
nvd
nvd
CVE-2021-27317
2021-03-01 21:15:14
CVE-2021-27318
2021-03-01 21:15:14

EPSS

0.002

Percentile

57.7%

JSON
Related for PACKETSTORM:161574
zdt1cvelist2cve2prion2nvd2