# Exploit Title: RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS)# Date: 13/04/2021# Exploit Author: Saud Ahmad# Vendor Homepage: https://remoteclinic.io/# Software Link: https://github.com/remoteclinic/RemoteClinic# Version: 2.0# Tested on: Windows 10# CVE : CVE-2021-30030, CVE-2021-30034, CVE-2021-30039, CVE-2021-30042, CVE-2021-31329#Steps to Reproduce:1)Login in Application as Doctor.2)Register a Patient with Full Name Field as XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>3)After Register Patient, go to "Patients" endpoint.4)XSS Executed.
For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/1#Steps to Reproduce:1)Login in Application as Doctor.2)Register a Patient.3)After Register Patient, a page redirect to Register Report Page.4)Here is"Symptoms" Field as XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>4)After Register Report, Click on home which is"dashboard" endpoint.5)XSS Executed.
For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/5#Steps to Reproduce:1)Login in Application as Doctor.2)Register a Patient.3)After Register Patient, a page redirect to Register Report Page.4)When you scroll down page two fields there "Fever"and"Blood Pressure", both are vulnerable to XSS, inject XSS Payload in both Fields: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>4)After Register Report, Click on home.5)Now Click on Report, XSS Executed.
For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/8#Steps to Reproduce:1)Login in Application as Doctor.2)Register a New Clinic.3)Here is four fields "Clinic Name","Clinic Address","Clinic City"and"Clinic Contact". All are vulnerable to XSS.4)Inject XSS Payload inall Fields: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>4)Now go to Clinic Directory.5)Click on that Clinic.6)XSS Executed.
For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/11#Steps to Reproduce:1)Login in Application as Doctor.2)Create a New Medicine.3)Medicine Name Field is Vulnerable to XSS, inject with XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>4)But there is client side validation on maxlength but not on server side.4)Change maxlength 30 to 100.5)Click on Register.6)Now Click on Show All which is/medicines/ endpoint.7)XSS Executed.
Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/14#Steps to Reproduce:1)Login in Application as Doctor.2)Create a New Staff Member.3)Here is Chat Field and Personal Address Field are Vulnerable to XSS, inject with XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>4)Profile Created.5)Signout.6)Now login with that staff member which Chat field and Personal Address field consist of XSS Payload.7)After Login, go to my profile.8)XSS Executed.
Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/16
