Cross-Site Scripting Vulnerability in CodeAstro Hospital Management System
CVE-2024-11678

5.4MEDIUM

Key Information:

Vendor: Codeastro
Status: Hospital Management System
Vendor: CVE Published:; 26 November 2024

Badges

👾 Exploit Exists

What is CVE-2024-11678?

CVE-2024-11678 is a critical cross-site scripting (XSS) vulnerability discovered in the CodeAstro Hospital Management System version 1.0. This vulnerability resides in the backend script responsible for patient registration, specifically in the file '/backend/doc/his_doc_register_patient.php'. It arises from improper handling of user-supplied input parameters such as pat_fname, pat_ailment, pat_lname, pat_age, pat_dob, pat_number, pat_phone, pat_type, and pat_addr. An attacker can exploit this flaw remotely by injecting malicious scripts through these parameters, potentially leading to unauthorized access and manipulation of patient information. As the exploit has been publicly disclosed, immediate remedial action is advised to mitigate the risk associated with this vulnerability.

Affected Version(s)

Hospital Management System 1.0

References

https://vuldb.com/?id.286018

vdb-entrytechnical-description

https://vuldb.com/?ctiid.286018

signaturepermissions-required

https://vuldb.com/?submit.448789

third-party-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Nov 26, 2024
👾
Exploit known to exist
Nov 26, 2024
Vulnerability published
Nov 26, 2024
Vulnerability Reserved
Nov 25, 2024

Credit

egsec (VulDB User)

Codeastro