Scan free
LOWCVE-2024-11676CVSS 3.5

CVE-2024-11676: XSS in CodeAstro Hospital Management System

Platform

php

Component

zero-day

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2024-11676 is a cross-site scripting (XSS) vulnerability identified in CodeAstro Hospital Management System versions 1.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The affected component is the 'Add Laboratory Equipment Page' accessible via /backend/admin/hisadminaddlabequipment.php. A patch is available in version 1.0.1.

Impact and Attack Scenarios

Successful exploitation of CVE-2024-11676 allows an attacker to inject arbitrary JavaScript code into the web pages viewed by other users. This can be leveraged to steal session cookies, redirect users to malicious websites, or modify the content of the page. Given the context of a hospital management system, this could potentially compromise sensitive patient data or disrupt critical operations. The vulnerability's remote accessibility significantly broadens the attack surface, as it doesn't require local access to the system.

Exploitation Context

This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the potential impact on a hospital management system warrants immediate attention. No known active campaigns or KEV listing at the time of writing. Public proof-of-concept code is likely to emerge given the disclosure.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.13% (33% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentzero-day
VendorCodeAstro
Affected rangeFixed in
1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-11676 is to upgrade to CodeAstro Hospital Management System version 1.0.1 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing strict input validation and output encoding on the /backend/admin/hisadminaddlabequipment.php page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update input validation routines to prevent similar vulnerabilities.

How to fix

Actualice el sistema de gestión hospitalaria a una versión parcheada que solucione la vulnerabilidad XSS. Si no hay una versión disponible, revise y filtre las entradas de los campos eqp_code, eqp_name, eqp_vendor, eqp_desc, eqp_dept, eqp_status y eqp_qty en el archivo his_admin_add_lab_equipment.php para evitar la inyección de código malicioso.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-11676 — XSS in CodeAstro Hospital Management System?

CVE-2024-11676 is a cross-site scripting (XSS) vulnerability affecting CodeAstro Hospital Management System versions 1.0, allowing attackers to inject malicious scripts via the /backend/admin/hisadminaddlabequipment.php page.

Am I affected by CVE-2024-11676 in CodeAstro Hospital Management System?

Yes, if you are using CodeAstro Hospital Management System version 1.0, you are vulnerable to this XSS attack. Upgrade to version 1.0.1 to mitigate the risk.

How do I fix CVE-2024-11676 in CodeAstro Hospital Management System?

The recommended fix is to upgrade to CodeAstro Hospital Management System version 1.0.1 or later. Implement input validation and output encoding as a temporary workaround if immediate upgrade is not possible.

Is CVE-2024-11676 being actively exploited?

While no active campaigns are confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems closely.

Where can I find the official CodeAstro advisory for CVE-2024-11676?

Refer to the CodeAstro website or their official security advisory channels for the latest information and updates regarding CVE-2024-11676.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs