In Remote Clinic v2.0, there are multiple Cross-Site Scripting vulnerabilities via the Contact, Email, Weight, Profession, ref_contact, and address parameters in /patients/register-patient.php are vulnerable due to the _POSTs not being sanitized properly for XSS despite being sent through the friendly function.
In Remote Clinic v2.0, there is Stored Cross-Site Scripting and no sanitization for the gender, age, serial parameters when retrieved by _POST in /patients/register-patient.php to be sent to the database. This is possible by changing the values in the dropdowns in the inspect menu.
In Remote Clinic v2.0, in patients/edit-patient.php, the Contact, Email, Weight, Profession, ref_contact, and address parameters being edited are not sanitized for Cross-Site Scripting when they are retrieved by _POST.
In Remote CLinic v2.0, in patients/edit-patient.php, the serial, age, and gender dropdowns are able to be changed via the inspect menu
In Remote Clinic v2.0, in staff/edit-my-profile.php, the Title, First Name, Last Name, Skype, and Address parameters sent by _POST to be put in the database, is unsanitized and prone to Cross-Site Scripting (XSS)
In Remote Clinic v2.0, in clinics/settings.php, most of the parameters being passed into the database are sanitized insufficiently. The parameters that allow Cross-Site Scripting are portal_name, guardian_short_name, guardian_name, opening_time, closing_time, access_level_5, access_level_4,access_level_ 3, access_level_2, access_level_1, currency, mobile_number, address, patient_contact, patient_address, and patient_email.
The text was updated successfully, but these errors were encountered:
In Remote Clinic v2.0, there are multiple Cross-Site Scripting vulnerabilities via the Contact, Email, Weight, Profession, ref_contact, and address parameters in /patients/register-patient.php are vulnerable due to the _POSTs not being sanitized properly for XSS despite being sent through the friendly function.
In Remote Clinic v2.0, there is Stored Cross-Site Scripting and no sanitization for the gender, age, serial parameters when retrieved by _POST in /patients/register-patient.php to be sent to the database. This is possible by changing the values in the dropdowns in the inspect menu.
In Remote Clinic v2.0, in patients/edit-patient.php, the Contact, Email, Weight, Profession, ref_contact, and address parameters being edited are not sanitized for Cross-Site Scripting when they are retrieved by _POST.
In Remote CLinic v2.0, in patients/edit-patient.php, the serial, age, and gender dropdowns are able to be changed via the inspect menu
In Remote Clinic v2.0, in staff/edit-my-profile.php, the Title, First Name, Last Name, Skype, and Address parameters sent by _POST to be put in the database, is unsanitized and prone to Cross-Site Scripting (XSS)
In Remote Clinic v2.0, in clinics/settings.php, most of the parameters being passed into the database are sanitized insufficiently. The parameters that allow Cross-Site Scripting are portal_name, guardian_short_name, guardian_name, opening_time, closing_time, access_level_5, access_level_4,access_level_ 3, access_level_2, access_level_1, currency, mobile_number, address, patient_contact, patient_address, and patient_email.
The text was updated successfully, but these errors were encountered: