RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS)

vendor:

RemoteClinic

by:

Saud Ahmad

5.4

CVSS

MEDIUM

Stored Cross-Site Scripting (XSS)

CWE

Product Name: RemoteClinic

Affected Version From: 2.0

Affected Version To: 2.0

Patch Exists: YES

Related CWE: CVE-2021-30030, CVE-2021-30034, CVE-2021-30039, CVE-2021-30042, CVE-2021-31329

CPE: 2.3:a:remoteclinic:remoteclinic:2.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10

2021

RemoteClinic 2.0 – ‘Multiple’ Stored Cross-Site Scripting (XSS)

RemoteClinic 2.0 is vulnerable to multiple stored cross-site scripting (XSS) vulnerabilities. An attacker can inject malicious JavaScript code into the application by exploiting the vulnerable fields. The malicious code is then stored in the application and executed when a user visits the affected page.

Mitigation:

Input validation should be used to prevent malicious code from being stored in the application. The application should also use a Content Security Policy (CSP) to prevent the execution of malicious code.

Source

Exploit-DB raw data:

# Exploit Title: RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 13/04/2021
# Exploit Author: Saud Ahmad
# Vendor Homepage: https://remoteclinic.io/
# Software Link: https://github.com/remoteclinic/RemoteClinic
# Version: 2.0
# Tested on: Windows 10
# CVE : CVE-2021-30030, CVE-2021-30034, CVE-2021-30039, CVE-2021-30042, CVE-2021-31329

#Steps to Reproduce:

1)Login in Application as Doctor.
2)Register a Patient with Full Name Field as XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
3)After Register Patient, go to "Patients" endpoint.
4)XSS Executed.

For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/1

#Steps to Reproduce:

1)Login in Application as Doctor.
2)Register a Patient.
3)After Register Patient, a page redirect to Register Report Page. 
4)Here is "Symptoms" Field as XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
4)After Register Report, Click on home which is "dashboard" endpoint.
5)XSS Executed.

For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/5

#Steps to Reproduce:

1)Login in Application as Doctor.
2)Register a Patient.
3)After Register Patient, a page redirect to Register Report Page. 
4)When you scroll down page two fields there "Fever" and "Blood Pressure", both are vulnerable to XSS, inject XSS Payload in both Fields: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
4)After Register Report, Click on home.
5)Now Click on Report, XSS Executed.

For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/8

#Steps to Reproduce:

1)Login in Application as Doctor.
2)Register a New Clinic.
3)Here is four fields "Clinic Name", "Clinic Address", "Clinic City" and "Clinic Contact". All are vulnerable to XSS. 
4)Inject XSS Payload in all Fields: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
4)Now go to Clinic Directory.
5)Click on that Clinic.
6)XSS Executed.

For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/11

#Steps to Reproduce:

1)Login in Application as Doctor.
2)Create a New Medicine.
3)Medicine Name Field is Vulnerable to XSS, inject with XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
4)But there is client side validation on maxlength but not on server side. 
4)Change maxlength 30 to 100.
5)Click on Register.
6)Now Click on Show All which is /medicines/ endpoint.
7)XSS Executed.

Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/14

#Steps to Reproduce:

1)Login in Application as Doctor.
2)Create a New Staff Member.
3)Here is Chat Field and Personal Address Field are Vulnerable to XSS, inject with XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
4)Profile Created.
5)Signout.
6)Now login with that staff member which Chat field and Personal Address field consist of XSS Payload.
7)After Login, go to my profile.
8)XSS Executed.

Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/16