CVE-2025-45805 PoC — PHPGurukul Doctor Appointment Management System 安全漏洞

Source

Associated Vulnerability

Description

Poc Of CVE-2025-45805

Readme

# CVE-2025-45805
Poc Of CVE-2025-45805
Affected Product: Doctor Appointment Management System
Vendor: phpgurukul
Version: 1.0
Vulnerability Type: Stored Cross-Site Scripting (XSS)

Description:
An authenticated doctor user can inject arbitrary JavaScript code into the doctor profile field (name/employee ID). The malicious payload is then rendered without sanitization when a patient selects the doctor to book an appointment, leading to arbitrary script execution in the victim’s browser. This can result in account takeover, session hijacking, or cookie theft.

Impact: High severity (Account Takeover, Session Hijacking)
Attack Vector: Remote (Stored XSS), victim must visit the booking page
Discovered by: Mohammed Hayaf Al-Saqqaf (BULLETMHS) & Ayman Al-Hakimi


[![Play](Screenshot_2025-09-02-23-41-56-09_f2cb81fb7cf38af7978f186f2a61634a.jpg)](ATO%20XSS.mp4)

File Snapshot

 [4.0K]  /data/pocs/fe4505df98f611735d0b0e4a0d1a0d1a329cdd9e
├── [ 14M]  ATO XSS.mp4
├── [ 868]  README.md
├── [172K]  Screenshot_2025-09-02-23-40-35-82_f2cb81fb7cf38af7978f186f2a61634a.jpg
├── [227K]  Screenshot_2025-09-02-23-41-12-32_f2cb81fb7cf38af7978f186f2a61634a.jpg
├── [193K]  Screenshot_2025-09-02-23-41-39-15_f2cb81fb7cf38af7978f186f2a61634a.jpg
└── [357K]  Screenshot_2025-09-02-23-41-56-09_f2cb81fb7cf38af7978f186f2a61634a.jpg

0 directories, 6 files

Remarks