Vulnerabilty found in Chikitsa by "HAXSS" a Reinforcement Learning Agent for Cross Site Scripting (XSS) testing.
The "Last Name" field of the "/patient/insert" page of Chikitsa 2.0.2 is subject to a Cross Site Scripting (XSS) vulnerability, that appears on multiple pages: /patient/patient_report, /appointment/appointment_report, /patient/visit_report, /patient/bill_detail_report This allows malicious users to send an authenticated POST HTTP request to inject JavaScript or HTML.
1. Log into the admin panel ('index.php/login/index').
2. Use the dashboard to navigate to the Add Patient page ('/patient/insert')
3. Edit the "Last Name" field on the page to a malicious payload
4. Save the settings
5. Navigate to any of 'patient/patient_report', 'patient/visit_report', 'patient/bill_detail_report' and the vulerbility is shown
