Hospitals Patient Records Management System
Monthly
Stored or reflected cross-site scripting in SourceCodester Hospitals Patient Records Management System 1.0 allows a remote, authenticated administrator to inject malicious client-side scripts via the unvalidated `room` argument at the `/admin/?page=room_types` endpoint. The CVSS score of 2.4 (Low) accurately reflects the constrained conditions: exploitation requires admin-level credentials (PR:H) and victim interaction (UI:R), limiting blast radius to the admin panel. A publicly available proof-of-concept exploit exists via a GitHub issue, but no active exploitation has been confirmed by CISA KEV.
Stored cross-site scripting in SourceCodester Hospitals Patient Records Management System 1.0 allows a remote, high-privileged attacker to inject malicious script via the Remarks argument on the /admin/?page=patients/view_patient endpoint, resulting in low-integrity impact when a victim administrator views the affected patient record. A public proof-of-concept exploit exists (GitHub issue), though the CVSS 4.0 base score of 1.9 and EPSS of 0.03% (8th percentile) indicate low real-world exploitation likelihood. This is not listed in the CISA KEV catalog and SSVC classifies it as non-automatable with partial technical impact.
Stored or reflected cross-site scripting in SourceCodester Hospitals Patient Records Management System 1.0 allows a remote, authenticated administrator to inject malicious client-side scripts via the unvalidated `room` argument at the `/admin/?page=room_types` endpoint. The CVSS score of 2.4 (Low) accurately reflects the constrained conditions: exploitation requires admin-level credentials (PR:H) and victim interaction (UI:R), limiting blast radius to the admin panel. A publicly available proof-of-concept exploit exists via a GitHub issue, but no active exploitation has been confirmed by CISA KEV.
Stored cross-site scripting in SourceCodester Hospitals Patient Records Management System 1.0 allows a remote, high-privileged attacker to inject malicious script via the Remarks argument on the /admin/?page=patients/view_patient endpoint, resulting in low-integrity impact when a victim administrator views the affected patient record. A public proof-of-concept exploit exists (GitHub issue), though the CVSS 4.0 base score of 1.9 and EPSS of 0.03% (8th percentile) indicate low real-world exploitation likelihood. This is not listed in the CISA KEV catalog and SSVC classifies it as non-automatable with partial technical impact.