EasyAppointments Cross-Site Scripting Vulnerability Allowing Arbitrary Code Execution

A cross-site scripting (XSS) vulnerability has been identified in EasyAppointments version 1.5.0, developed by Alex Tselegidis. This vulnerability allows remote attackers to execute arbitrary code by exploiting the legal_settings parameter. The issue arises in the '/index.php/legal_settings' endpoint, where custom policies, such as cookie policies, can be inserted. The code entered in these fields is executed when the page loads, creating an opportunity for XSS attacks. This vulnerability could lead to account takeover, as demonstrated in a proof-of-concept exploit.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute scripts in the context of the user's browser. In this case, it could lead to account takeover.

Reproduction

To reproduce this vulnerability, log into the admin panel of EasyAppointments 1.5.0 and navigate to the '/index.php/legal_settings' page. In the cookies field, use the text editor's embed code option to insert an image tag pointing to a server set up to capture cookies. Once inserted, this will steal cookies every time the legal settings page is visited.