SQL Injection in hospital-management-system-in-php 378c157 in index.php
8,8
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
SQL Injection in hospital-management-system-in-php 378c157 in index.php
Code name
State
Public
Release date
28 de set. de 2023
Affected product
Hospital Management System
Affected version(s)
Version 378c157
Vulnerability name
SQL injection
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v3.1 base score
8.8
Exploit available
Yes
CVE ID(s)
Description
Hospital management system version 378c157 allows to bypass authentication. This is possible because the application is vulnerable to SQLI.
Vulnerability
A sql injection (SQLI) vulnerability has been identified in Hospital management system. This allows bypassing authentication and access as any user.
Exploit
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2023-5053 to refer to this issue from now on. Disclosure policy
System Information
Version: hospital-management-system-in-php 378c157
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
References
Timeline
Vulnerability discovered
15 de set. de 2023
Vendor contacted
15 de set. de 2023
Public disclosure
28 de set. de 2023
