Advertisement






RemoteClinic 2.0 Multiple Stored Cross-Site Scripting (XSS)

CVE Category Price Severity
CVE-2021-30030 CWE-79 Unknown Unknown
Author Risk Exploitation Type Date
Unknown Unknown Remote 2021-04-22
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 0.02 0.274676

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021040124

Below is a copy:

RemoteClinic 2.0 Multiple Stored Cross-Site Scripting (XSS)
# Exploit Title: RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 13/04/2021
# Exploit Author: Saud Ahmad
# Vendor Homepage: https://remoteclinic.io/
# Software Link: https://github.com/remoteclinic/RemoteClinic
# Version: 2.0
# Tested on: Windows 10
# CVE : CVE-2021-30030, CVE-2021-30034, CVE-2021-30039, CVE-2021-30042

#Steps to Reproduce:

1)Login in Application as Doctor.
2)Register a Patient with Full Name Field as XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
3)After Register Patient, go to "Patients" endpoint.
4)XSS Executed.

For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/1

#Steps to Reproduce:

1)Login in Application as Doctor.
2)Register a Patient.
3)After Register Patient, a page redirect to Register Report Page. 
4)Here is "Symptoms" Field as XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
4)After Register Report, Click on home which is "dashboard" endpoint.
5)XSS Executed.

For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/5

#Steps to Reproduce:

1)Login in Application as Doctor.
2)Register a Patient.
3)After Register Patient, a page redirect to Register Report Page. 
4)When you scroll down page two fields there "Fever" and "Blood Pressure", both are vulnerable to XSS, inject XSS Payload in both Fields: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
4)After Register Report, Click on home.
5)Now Click on Report, XSS Executed.

For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/8

#Steps to Reproduce:

1)Login in Application as Doctor.
2)Register a New Clinic.
3)Here is four fields "Clinic Name", "Clinic Address", "Clinic City" and "Clinic Contact". All are vulnerable to XSS. 
4)Inject XSS Payload in all Fields: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
4)Now go to Clinic Directory.
5)Click on that Clinic.
6)XSS Executed.

For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/11

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum