# Exploit Title: Online Doctor Appointment System 1.0 - 'Multiple' Stored XSS
# Tested on: Windows 10
# Exploit Author: Mohamed habib Smidi (Craniums)
# Date: 2021-01-08
# Vendor Homepage: https://www.sourcecodester.com/php/14663/online-doctor-appointment-system-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14663&title=Online+Doctor+Appointment+System+in+PHP+with+Full+Source+Code
# Affected Version: Version 1
# CVE : CVE-2021-25791
Step 1: Login to the doctor account in http://TARGET/doctorappointmentsystem/adminlogin.php
Step 2: then Click on the username and go to profile
Step 3: Click on Update profile.
Step 4: Input "<script>alert("craniums")</script>" in the field First Name,Last Name and Address.
Step 5: This Will trigger the payload each time you update or visit a new page.