EUVD-2025-17047
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A vulnerability has been found in SourceCodester Open Source Clinic Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /appointment.php. The manipulation of the argument patient leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Analysis
Critical SQL injection vulnerability in SourceCodester Open Source Clinic Management System 1.0 affecting the /appointment.php file's patient parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The exploit has been publicly disclosed with proof-of-concept availability, significantly elevating real-world exploitation risk.
Technical Context
The vulnerability exists in PHP-based web application code handling HTTP request parameters without proper input validation or parameterized query usage. The patient parameter in /appointment.php is directly concatenated into SQL queries without sanitization, allowing SQL injection attacks. This falls under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), specifically manifesting as CWE-89 (SQL Injection). The affected product is a medical clinic management system written in PHP that processes appointment-related database queries. The root cause is the absence of prepared statements, parameterized queries, or input validation mechanisms that should filter special SQL characters or use type-safe query construction methods.
Affected Products
SourceCodester Open Source Clinic Management System version 1.0 is confirmed affected. The vulnerable component is specifically the /appointment.php file's patient parameter handling. No CPE string was provided in source data, but the product would be identified as: Vendor: SourceCodester, Product: Open Source Clinic Management System, Version: 1.0. All default installations and any configurations that expose /appointment.php to unauthenticated users are vulnerable. The vulnerability affects the web application tier regardless of underlying operating system or database platform (likely MySQL/MariaDB given PHP context, but SQL injection works across database engines).
Remediation
Immediate actions: (1) Apply vendor patches - contact SourceCodester for CVE-2025-5712 security updates; check official repository/website for patched version (likely 1.0.1 or 2.0); (2) If patch unavailable, implement input validation: whitelist/validate patient parameter to accept only expected formats (numeric IDs, specific alphanumeric patterns); (3) Use prepared statements: replace all direct SQL concatenation with parameterized queries using PHP PDO or mysqli prepared statement APIs (e.g., $stmt = $pdo->prepare('SELECT * FROM appointments WHERE patient_id = ?'); $stmt->execute([$patient])); (4) Apply Web Application Firewall (WAF) rules to detect/block SQL injection patterns in appointment.php requests; (5) Implement principle of least privilege - database user account running queries should have minimal required permissions; (6) Enable SQL error suppression to prevent information leakage through error messages; (7) Conduct database audit for unauthorized access/data exfiltration since POC is public.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today