Smart Hospital 3.1 "Add Patient" Stored XSS

2020.12.18

Credit: Kislay Kumar

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: Smart Hospital 3.1 - "Add Patient" Stored XSS
# Exploit Author: Kislay Kumar
# Date: 2020-12-18
# Vendor Homepage: https://smart-hospital.in/index.html
# Software Link: https://codecanyon.net/item/smart-hospital-hospital-management-system/23205038
# Affected Version: Version 3.1
# Tested on: Kali Linux
Step 1. Login to the application with Super Admin credentials
Step 2. Click on "OPD-Out Patient" and then click on "Add Patient" then
select "Add Patient" Again.
Step 3. Insert payload - "><svg/onmouseover=alert(1)> , in Name , Guardian
Name , Email , Address , Remarks and Any Known Allergies and Save it.
Step 4. Now the patient profile will open , when your course will move
around profile details they will show an alert box.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Smart Hospital 3.1 "Add Patient" Stored XSS

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.