Patient Record Management System
CVE-2025-7754
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects Patient Record Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /xray_form.php. The manipulation of the argument itr_no leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in Patient Record Management System 1.0 via the itr_no parameter in /xray_form.php allows authenticated remote attackers to execute arbitrary SQL queries with low confidentiality, integrity, and availability impact. The vulnerability requires valid user credentials (PR:L) but can be exploited remotely over the network. Public exploit code is available, though real-world exploitation risk remains low given the EPSS score of 0.04% and limited scope of impact (local scope only, no confidentiality/integrity/availability impact to the system itself).
Technical ContextAI
The vulnerability exists in a PHP-based patient record management application developed by Fabian Ros. The /xray_form.php endpoint accepts user input via the itr_no parameter without proper sanitization or parameterized query usage, allowing SQL injection (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component). The PHP application likely constructs SQL queries by direct string concatenation rather than using prepared statements, a common pattern in legacy medical software. The attack vector is network-based (AV:N), meaning the vulnerable endpoint is accessible over HTTP/HTTPS without special network positioning required.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate remediation steps: (1) Upgrade or migrate away from Patient Record Management System 1.0 if a patched version is available from the vendor (contact code-projects.org or Fabian Ros); (2) If upgrade is not feasible, implement input validation and output encoding on the itr_no parameter by converting all SQL queries to use prepared statements with parameterized queries (e.g., using PDO with bound parameters in PHP); (3) Apply WAF rules to block requests containing SQL keywords or special characters in the itr_no parameter; (4) Restrict access to /xray_form.php to authenticated users only and further limit to users with radiology/imaging roles; (5) Run automated SQL injection scanning (e.g., sqlmap) against the application in your test environment to identify any similar injection points in other forms. Monitor application logs for suspicious SQL error messages or abnormal query patterns indicating exploitation attempts.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today