rlsec.xyz Open in urlscan Pro
172.104.17.149  Public Scan

Form analysis
0 forms found in the DOM

Text Content

CVE-2021-42868: CHIKITSA 2.0.2 XSS VULNERABILITY

Vulnerabilty found in Chikitsa by "HAXSS" a Reinforcement Learning Agent for
Cross Site Scripting (XSS) testing.


DESCRIPTION:

The "First name" field of the "/patient/insert" page of Chikitsa 2.0.2 is
subject to a Cross Site Scripting (XSS) vulnerability, that appears on multiple
pages: /patient/patient_report, /appointment/appointment_report,
/patient/visit_report, /patient/bill_detail_report This allows malicious users
to send an authenticated POST HTTP request to inject JavaScript or HTML.


KNOWN PAYLOADS:

 * </script><style onload=alert(token)> </style>
 * ></script><script> onerror=alert(token)</script>


STEPS TO REPRODUCE:

1. Log into the admin panel ('index.php/login/index').

2. Use the dashboard to navigate to the Add Patient page ('/patient/insert')

3. Edit the "First Name" field on the page to a malicious payload





4. Save the settings

5. Navigate to any of 'patient/patient_report', 'patient/visit_report',
'patient/bill_detail_report' and the vulerbility is shown