Scan free
LOWCVE-2024-11102CVSS 3.5

CVE-2024-11102: XSS in Hospital Management System 1.0

Platform

php

Component

cves-and-vulnerabilities

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2024-11102 describes a cross-site scripting (XSS) vulnerability discovered in SourceCodester Hospital Management System version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and system integrity. The vulnerability impacts the /vm/doctor/edit-doc.php file and is addressed in version 1.0.1.

Impact and Attack Scenarios

Successful exploitation of CVE-2024-11102 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application's interface. An attacker could potentially steal sensitive patient data or gain unauthorized access to administrative functions within the Hospital Management System. The impact is amplified if the system is used in a multi-user environment, as a single compromised account could be used to target other users.

Exploitation Context

CVE-2024-11102 has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant immediate attention. No active exploitation campaigns are currently known, but the availability of the vulnerability details makes it a potential target for opportunistic attackers. The vulnerability was published on 2024-11-12.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.18% (40% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentcves-and-vulnerabilities
VendorSourceCodester
Affected rangeFixed in
1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-11102 is to upgrade to version 1.0.1 of SourceCodester Hospital Management System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /vm/doctor/edit-doc.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. Regularly review and update security policies to prevent similar vulnerabilities in the future.

How to fix

Actualice el sistema Hospital Management System a una versión parcheada que solucione la vulnerabilidad XSS. Si no hay una versión disponible, revise y filtre las entradas del parámetro 'name' en el archivo edit-doc.php para evitar la inyección de código malicioso. Considere deshabilitar temporalmente la funcionalidad afectada hasta que se pueda aplicar una solución.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-11102 — XSS in SourceCodester Hospital Management System?

CVE-2024-11102 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Hospital Management System version 1.0, allowing attackers to inject malicious scripts.

Am I affected by CVE-2024-11102 in SourceCodester Hospital Management System?

You are affected if you are using SourceCodester Hospital Management System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.

How do I fix CVE-2024-11102 in SourceCodester Hospital Management System?

Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the /vm/doctor/edit-doc.php file.

Is CVE-2024-11102 being actively exploited?

While no active exploitation campaigns are currently known, the public disclosure of the vulnerability increases the risk of exploitation.

Where can I find the official SourceCodester advisory for CVE-2024-11102?

Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2024-11102.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs