CVE-2021-39416 Information

Description

Multiple Cross Site Scripting (XSS) vulnerabilities exists in Remote Clinic v2.0 in (1) patients/register-patient.php via the (a) Contact (b) Email (c) Weight (d) Profession (e) ref_contact (f) address (g) gender (h) age and (i) serial parameters; in (2) patients/edit-patient.php via the (a) Contact (b) Email (c) Weight Profession (d) ref_contact (e) address (f) serial (g) age and (h) gender parameters; in (3) staff/edit-my-profile.php via the (a) Title (b) First Name (c) Last Name (d) Skype and (e) Address parameters; and in (4) clinics/settings.php via the (a) portal_name (b) guardian_short_name (c) guardian_name (d) opening_time (e) closing_time (f) access_level_5 (g) access_level_4 (h) access_level_ 3 (i) access_level_2 (j) access_level_1 (k) currency (l) mobile_number (m) address (n) patient_contact (o) patient_address and (p) patient_email parameters.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://sisl.lab.uic.edu/projects/chess/remote-clinic/ https://remoteclinic.io https://github.com/remoteclinic/RemoteClinic/issues/17

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1