phpgurukul Doctor Appointment Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in phpGurukul's Doctor Appointment Management System version 1.0. This issue allows authenticated doctor users to inject arbitrary JavaScript into their profile names. The injected script is executed without proper sanitization when a patient selects the doctor to book an appointment, potentially leading to account takeover, session hijacking, or cookie theft.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the doctor's profile. This could result in session hijacking or account takeover.

Reproduction

To reproduce this vulnerability, an authenticated doctor user must inject JavaScript code into their profile name or employee ID. Once the profile is updated, the injected script will execute when a patient selects the doctor to book an appointment.