[webapps] RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS)

# Exploit Title: RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 13/04/2021 # Exploit Author: Saud Ahmad # Vendor Homepage: https://remoteclinic.io/ # Software Link: https://github.com/remoteclinic/RemoteClinic # Version: 2.0 # Tested on: Windows 10 # CVE : CVE-2021-30030, CVE-2021-30034, CVE-2021-30039, CVE-2021-30042, CVE-2021-31329 #Steps to Reproduce: 1)Login in Application as Doctor. 2)Register a Patient with Full Name Field as XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)> 3)After Register Patient, go to "Patients" endpoint. 4)XSS Executed. For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/1 #Steps to Reproduce: 1)Login in Application as Doctor. 2)Register a Patient. 3)After Register Patient, a page redirect to Register Report Page. 4)Here is "Symptoms" Field as XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)> 4)After Register Report, Click on home which is "dashboard" endpoint. 5)XSS Executed. For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/5 #Steps to Reproduce: 1)Login in Application as Doctor. 2)Register a Patient. 3)After Register Patient, a page redirect to Register Report Page. 4)When you scroll down page two fields there "Fever" and "Blood Pressure", both are vulnerable to XSS, inject XSS Payload in both Fields: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)> 4)After Register Report, Click on home. 5)Now Click on Report, XSS Executed. For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/8 #Steps to Reproduce: 1)Login in Application as Doctor. 2)Register a New Clinic. 3)Here is four fields "Clinic Name", "Clinic Address", "Clinic City" and "Clinic Contact". All are vulnerable to XSS. 4)Inject XSS Payload in all Fields: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)> 4)Now go to Clinic Directory. 5)Click on that Clinic. 6)XSS Executed. For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/11 #Steps to Reproduce: 1)Login in Application as Doctor. 2)Create a New Medicine. 3)Medicine Name Field is Vulnerable to XSS, inject with XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)> 4)But there is client side validation on maxlength but not on server side. 4)Change maxlength 30 to 100. 5)Click on Register. 6)Now Click on Show All which is /medicines/ endpoint. 7)XSS Executed. Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/14 #Steps to Reproduce: 1)Login in Application as Doctor. 2)Create a New Staff Member. 3)Here is Chat Field and Personal Address Field are Vulnerable to XSS, inject with XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)> 4)Profile Created. 5)Signout. 6)Now login with that staff member which Chat field and Personal Address field consist of XSS Payload. 7)After Login, go to my profile. 8)XSS Executed. Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/16