Hospital Management System 4.0 Cross Site Scripting

Hospital Management System version 4.0 suffers from a persistent cross site scripting vulnerability in add-patient.php. This version is already known to have persistent cross site scripting issues.

MD5 | 585182c2d13871ee4e287907dfdb7ef6

Download

# Exploit Title: Hospital Management System 4.0 Stored Cross-Site Scripting Vulnerability
# Date: 2020-01-20
# Exploit Author: Priyanka Samak
# Vendor Homepage: https://phpgurukul.com/

# Software Link : https://phpgurukul.com/hospital-management-system-in-php/

# Software : Hospital Management System
# Version : 4.0
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# Tested on: Windows 10

# This application is vulnerable to Stored XSS vulnerability. This

# Vulnerability exists in the DOCTOR Module of the application.

# Vulnerable script: http://localhost/hospital/hms/doctor/add-patient.php

# Vulnerable parameter: “Medical History” Input Field

# Payload used: <script>alert(“YOU ARE FOOLED!!”)</script>
# POC: http://localhost/hospital/hms/doctor/add-patient.php in this
# URL you can add the patient information.
# Enter your payload into the Medical History field. Click on
# the Manage Patient page and View the information,  you will see your Javascript code executes.


Thanks,
Priyanka Samak

Source: packetstormsecurity.com