vendor:
Easy!Appointments
by:
Gjoko 'LiquidWorm' Krstic
8,8
CVSS
HIGH
Stored XSS
79
CWE
Product Name: Easy!Appointments
Affected Version From: 1.2.1
Affected Version To: 1.2.1
Patch Exists: YES
Related CWE: N/A
CPE: a:alex_tselegidis:easy!appointments
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Apache/2.4.23 (Win32), OpenSSL/1.0.2h, MariaDB-10.1.19, PHP/5.6.28
2017
Easy!Appointments v1.2.1 Multiple Stored XSS Vulnerabilities
The application suffers from multiple stored and reflected XSS vulnerabilities. The issues are triggered when an unauthorized input passed via multiple POST and GET parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Mitigation:
Input validation and output encoding should be used to prevent XSS attacks.
