Reported on

Apr 13th 2023


Stored XSS attack is possible.

Proof of Concept

Step 1: Go to the login URL and login as an admin.

Step 2: Click on Users tab and then click on Add button to create a new user with the following credentials.


First Name: <script>alert("XSS")</script>
Username: <script>alert("XSS")</script>
Last Name: <script>alert("XSS")</script>
Password: P@ssword123
Phone Number: 1234

Now, click on Save button, to add the user.

Step 3: Now, logout as administrator and login with the new user credentials we created above.


Username: <script>alert("XSS")</script>
Password: P@ssword123

Step 4: After logging in you will see alert boxes will start appearing.

POC worked! We are able to execute the JavaScript code.


An attacker can perform javascript injections on victim browser that will lead to cookie stealing, installing javascript malware and keyloggers, performing remote actions etc.

We are processing your report and will contact the alextselegidis/easyappointments team within 24 hours. a month ago
Litesh Ghute
a month ago


Please verify it and assign it a CVE :)

We have contacted a member of the alextselegidis/easyappointments team and are waiting to hear back a month ago
alextselegidis/easyappointments maintainer has acknowledged this report a month ago
Alex Tselegidis validated this vulnerability a month ago
Litesh Ghute has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Tselegidis marked this as fixed in 1.5.0 with commit bddc5c a month ago
Alex Tselegidis has been awarded the fix bounty
This vulnerability has been assigned a CVE
Alex Tselegidis published this vulnerability a month ago
to join this conversation