Smart Hospital 3.1 "Add Patient" Stored XSS

2020.12.18
Credit: Kislay Kumar
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: Smart Hospital 3.1 - "Add Patient" Stored XSS # Exploit Author: Kislay Kumar # Date: 2020-12-18 # Vendor Homepage: https://smart-hospital.in/index.html # Software Link: https://codecanyon.net/item/smart-hospital-hospital-management-system/23205038 # Affected Version: Version 3.1 # Tested on: Kali Linux Step 1. Login to the application with Super Admin credentials Step 2. Click on "OPD-Out Patient" and then click on "Add Patient" then select "Add Patient" Again. Step 3. Insert payload - "><svg/onmouseover=alert(1)> , in Name , Guardian Name , Email , Address , Remarks and Any Known Allergies and Save it. Step 4. Now the patient profile will open , when your course will move around profile details they will show an alert box.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top