Bayanno hospital management system 4.0 crosssite scripting Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2018-09-11 |
Type : webapps |
Platform : php
This exploit / vulnerability Bayanno hospital management system 4.0 crosssite scripting is for educational purposes only and if it is used you will do on your own risk!
# 1. Description
# Due to improper user input management and lack of output encoding, unauthenticated users are able
# to inject malicious code via making an appointment. Malicious code runs on admin panel.
# 2. PoC
- To make an appointment go to: /bayanno/index.php?home/appointment
- Select “New Patient”.
- Type <script>alert(1)</script> as name.
- Fill the other fields with proper values.
- Click on “Book Now” button.
- Go to admin panel and login as admin: /bayanno/index.php?login
- To view patients go to: /bayanno/index.php?admin/patient
- Malicious script will run.
Bayanno hospital management system 4.0 crosssite scripting