Description: A stored cross-site scripting (XSS) vulnerability in Hospital management system
System: Hospital Management system https://github.com/kishan0725/Hospital-Management-System/
Version affected : 1.0
Version fixed: N/A
Researcher: Simon Njuguna
Proof of concept
Description: A cross-site scripting (XSS) vulnerability in the component
/contact.php of Hospital Management System v1.0 allows attackers to
execute arbitrary web scripts or HTML via injecting a crafted payload
into the txtEmail parameter
- Go to /contact.html and create a new message
- Intercept the request using burpsuite or zap proxy
- Change the email parameter value to <script>alert(document.cookie)</script>
- Forward the request
- Login as admin.
