Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Clinic’s Patient Management System versions 2.0 suffers from a SQL injection vulnerability in the login page.
AnalysisAI
Clinic's Patient Management System version 2.0 contains a SQL injection vulnerability in the login page. Unauthenticated attackers can bypass authentication and extract the entire patient database including medical records, personal information, and appointment histories through SQL injection in login credentials.
Technical ContextAI
The login page processes username and password fields without parameterized queries or input sanitization. An attacker can inject SQL in the login fields to bypass authentication (e.g., admin' OR '1'='1) or extract database contents through UNION-based or time-based blind injection techniques.
Affected ProductsAI
Clinic's Patient Management System 2.0
RemediationAI
Update the system to use parameterized queries. Deploy a WAF with SQL injection detection. Conduct a PHI breach assessment if exploitation is suspected. Implement multi-factor authentication for clinical systems. Consider migrating to a certified EHR system.
Share
External POC / Exploit Code
Leaving vuln.today