Cross-Site Scripting Vulnerability in CodeAstro Hospital Management System
CVE-2024-11677

5.4MEDIUM

Key Information:

Vendor: Codeastro
Status: Hospital Management System
Vendor: CVE Published:; 26 November 2024

Badges

👾 Exploit Exists

What is CVE-2024-11677?

CVE-2024-11677 reveals a cross-site scripting (XSS) vulnerability in the CodeAstro Hospital Management System 1.0, specifically affecting the 'Add Vendor Details' page located at '/backend/admin/his_admin_add_vendor.php'. The vulnerability stems from improper handling of user input parameters such as v_name, v_adr, v_number, v_email, v_phone, and v_desc. Malicious actors can exploit this flaw remotely to inject and execute arbitrary scripts in the context of the user’s browser. This poses a significant risk for data exposure and user account hijacking, as the exploit has been publicly disclosed, emphasizing the need for immediate security measures and patching by users of the affected product.

Affected Version(s)

Hospital Management System 1.0

References

https://vuldb.com/?id.286017

vdb-entrytechnical-description

https://vuldb.com/?ctiid.286017

signaturepermissions-required

https://github.com/EmilGallajov/zero-day/blob/main/codeas...

exploit

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Nov 26, 2024
👾
Exploit known to exist
Nov 26, 2024
Vulnerability published
Nov 26, 2024
Vulnerability Reserved
Nov 25, 2024