SourceCodester Doctors Appointment System Parameter add-new.php sql injection
CVE-2023-1062

8.8HIGH

Key Information:

Vendor
SourceCodester
Status
Doctors Appointment System
Vendor
CVE Published:
27 February 2023

Summary

A SQL injection vulnerability exists in the SourceCodester Doctors Appointment System 1.0, specifically within the /admin/add-new.php file of the Parameter Handler component. By manipulating the email parameter, an attacker can execute unauthorized SQL queries, allowing for remote exploitation. This flaw poses significant security risks, as it can lead to unauthorized access to sensitive data. The vulnerability has been publicly disclosed, increasing the urgency for affected users to implement remediation measures.

Affected Version(s)

Doctors Appointment System 1.0

References

https://vuldb.com/?id.221826
vdb-entrytechnical-description
https://vuldb.com/?ctiid.221826
signaturepermissions-required
https://github.com/E1CHO/cve_hub/blob/main/edoc%20doctor%...
exploit

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

SSL_Seven_Security Lab_WangZhiQiang_ZhangYing (VulDB User)
.