Plataforma
php
Componente
proof-of-concept
Corregido en
1.0.1
A cross-site scripting (XSS) vulnerability has been discovered in SourceCodester Doctor Appointment System version 1.0. This weakness resides within the /register.php file, specifically affecting the sign-up page functionality. Exploitation involves manipulating the Email argument, allowing attackers to inject malicious scripts. Affected users should prioritize upgrading to a patched version to mitigate this risk.
Successful exploitation of CVE-2026-3302 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to a variety of malicious actions, including session hijacking, credential theft, and defacement of the application. The attacker could potentially steal sensitive patient data or gain unauthorized access to administrative functions. Given the public availability of the exploit, the risk of immediate exploitation is significant. The impact is amplified if the application is used in a healthcare setting, where patient privacy is paramount.
The exploit for CVE-2026-3302 has been publicly disclosed, indicating a high probability of exploitation. It is currently not listed on KEV or EPSS, but the public availability of the exploit warrants immediate attention. The vulnerability was published on 2026-02-27, suggesting a relatively recent discovery.
Healthcare providers and clinics using SourceCodester Doctor Appointment System version 1.0 are at significant risk. Shared hosting environments where multiple users share the same server are particularly vulnerable, as a compromise of one user's account could potentially expose other users. Organizations relying on this system for patient data management should prioritize remediation.
• php / web:
curl -I 'http://your-domain.com/register.php?Email=<script>alert(1)</script>' | grep HTTP/1.1• generic web:
curl -s 'http://your-domain.com/register.php?Email=<script>alert(1)</script>' | grep alertdisclosure
Estado del Exploit
EPSS
0.03% (8% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-3302 is to upgrade to a patched version of Doctor Appointment System. Since a fixed version is not specified, immediate action is crucial. As a temporary workaround, implement strict input validation and output encoding on the Email field in /register.php. A Web Application Firewall (WAF) can be configured to block requests containing suspicious characters or patterns in the Email parameter. Regularly review and update WAF rules to address evolving attack techniques. Consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed.
Actualizar a una versión parcheada del sistema de citas médicas del doctor. Si no hay una versión parcheada disponible, se recomienda sanitizar las entradas del usuario, especialmente el campo 'Email' en el formulario de registro, para evitar la ejecución de código JavaScript malicioso.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-3302 is a cross-site scripting vulnerability in Doctor Appointment System 1.0, allowing attackers to inject malicious scripts via the Email parameter in /register.php.
If you are using Doctor Appointment System version 1.0, you are potentially affected. Upgrade as soon as possible.
Upgrade to a patched version of Doctor Appointment System. If a patch is unavailable, implement input validation and output encoding, and consider a WAF.
The exploit is publicly available, indicating a high probability of active exploitation. Immediate action is recommended.
Check the SourceCodester website and relevant security forums for updates and advisories related to CVE-2026-3302.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.