| Title | code-projects Online Appointment Booking System IN PHP 1.0 Cross Site Scripting |
|---|
| Description | A Stored Cross-Site Scripting (XSS) vulnerability exists in the Online Appointment Booking System in PHP within the administrative doctor management functionality.
The vulnerability occurs in the following component:
/Online-Appointment-Booking-System-master/Admin/deletedoctor.php
The application processes user input submitted via HTTP POST parameters including:
did (doctor ID)
doctorname
During request handling, the application accepts user-controlled input from these parameters and uses it without proper validation or sanitization.
Testing indicates that malicious HTML or JavaScript code injected into the did parameter can be processed and later rendered within the application interface without output encoding.
Because the application fails to properly sanitize or encode the stored or reflected values, attacker-controlled payloads can execute in the browser of users interacting with the affected functionality.
Example payload used during testing:
<script>alert(1)</script>
Once the malicious input is processed, it may be reflected or stored and executed when the affected page is loaded or when application responses include the injected data. |
|---|
| Source | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Stored%20Cross-Site%20Scripting%20(XSS)%20in%20Online%20Appointment%20Booking%20System%20did%20Parameter.md |
|---|
| User | AhmadMarzouk (UID 95993) |
|---|
| Submission | 03/22/2026 19:43 (21 days ago) |
|---|
| Moderation | 04/05/2026 18:52 (14 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 316742 [code-projects Online Appointment Booking System 1.0 /admin/deletedoctor.php did sql injection] |
|---|
| Points | 0 |
|---|