Cross-Site Scripting Vulnerability in CodeAstro Hospital Management System
CVE-2024-11676

5.4MEDIUM

Key Information:

Vendor: Codeastro
Status: Hospital Management System
Vendor: CVE Published:; 26 November 2024

Badges

👾 Exploit Exists

What is CVE-2024-11676?

CVE-2024-11676 identifies a critical cross-site scripting (XSS) vulnerability within the CodeAstro Hospital Management System version 1.0, specifically in the 'Add Laboratory Equipment Page' located at /backend/admin/his_admin_add_lab_equipment.php. This vulnerability allows an attacker to manipulate several input parameters—eqp_code, eqp_name, eqp_vendor, eqp_desc, eqp_dept, eqp_status, and eqp_qty—resulting in the injection of malicious scripts. The vulnerability is exploitable remotely, exposing users to potential security breaches. Given that the exploit has been publicly disclosed, it is essential for users of this system to implement immediate validations and sanitizations of input data to mitigate risks.

Affected Version(s)

Hospital Management System 1.0

References

https://vuldb.com/?id.286016

vdb-entrytechnical-description

https://vuldb.com/?ctiid.286016

signaturepermissions-required

https://github.com/EmilGallajov/zero-day/blob/main/codeas...

exploit

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Nov 26, 2024
👾
Exploit known to exist
Nov 26, 2024
Vulnerability published
Nov 26, 2024