Platform
php
Component
zero-day
Fixed in
1.0.1
CVE-2024-11675 describes a cross-site scripting (XSS) vulnerability discovered in CodeAstro Hospital Management System versions 1.0. This vulnerability allows attackers to inject malicious scripts into the application via manipulation of patient details within the Add Patient Details Page. Affected users should upgrade to version 1.0.1 to address this issue. The vulnerability has been publicly disclosed.
An attacker can exploit this XSS vulnerability by crafting malicious patient data containing JavaScript code. When a user with appropriate privileges views the modified patient record, the injected script will execute within their browser context. This could lead to session hijacking, redirection to phishing sites, or the theft of sensitive information displayed on the page. The impact is amplified if the application is used to manage patient records containing Personally Identifiable Information (PII), potentially leading to data breaches and regulatory compliance issues. Successful exploitation could also allow an attacker to deface the application or perform actions on behalf of the affected user.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. No KEV listing or EPSS score is currently available. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and public disclosure. The vulnerability was published on 2024-11-26.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11675 is to upgrade CodeAstro Hospital Management System to version 1.0.1, which includes the necessary fix. If upgrading immediately is not possible, consider implementing input validation and sanitization on the Add Patient Details Page to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of protection. Regularly review and update input validation routines to address potential bypasses.
Actualizar a una versión parcheada del sistema de gestión hospitalaria CodeAstro. Si no hay una versión disponible, revisar y sanitizar las entradas de usuario en el archivo /backend/admin/his_admin_register_patient.php, específicamente los parámetros pat_fname, pat_ailment, pat_lname, pat_age, pat_dob, pat_number, pat_phone, pat_type y pat_addr, para prevenir la inyección de código XSS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11675 is a cross-site scripting (XSS) vulnerability in CodeAstro Hospital Management System versions 1.0, allowing attackers to inject malicious scripts via patient data manipulation.
If you are using CodeAstro Hospital Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the Add Patient Details Page.
While no active exploitation has been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Please refer to the CodeAstro website or relevant security mailing lists for the official advisory regarding CVE-2024-11675.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.