Hospital-management-system-in-php 378c157 - Blind SQL Injection
8,4
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Hospital-management-system-in-php 378c157 - Blind SQL Injection
Code name
State
Public
Release date
28 sept 2023
Affected product
Hospital Management System
Affected version(s)
Version 378c157
Vulnerability name
SQL injection
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v3.1 base score
9.8
Exploit available
Yes
CVE ID(s)
Description
Hospital management system version 378c157 allows to bypass authentication. This is possible because the application is vulnerable to SQLI.
Vulnerability
A sql injection (SQLI) vulnerability has been identified in Hospital management system. This allows bypassing authentication and access as any user, in this case administrator.
Exploit
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2023-5004 to refer to this issue from now on. Disclosure policy
System Information
Version: hospital-management-system-in-php 378c157
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
References
Timeline
IA generativa
15 sept 2023
Vendor contacted
15 sept 2023
Public disclosure
28 sept 2023
