Plateforme
php
Composant
e2953222b47c29c8c69855f5d623267d
Corrigé dans
1.0.1
1.0.1
CVE-2026-3170 describes a cross-site scripting (XSS) vulnerability discovered in SourceCodester's Patients Waiting Area Queue Management System. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or other client-side attacks. The vulnerability impacts version 1.0 of the system and is triggered by manipulating the First Name/Last Name arguments within the /patient-search.php file. A patch is expected from the vendor.
The XSS vulnerability in Patients Waiting Area Queue Management System allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited by crafting malicious URLs containing the injected script, which are then executed in the context of a user's browser when they visit the affected page. Successful exploitation could lead to an attacker stealing session cookies, redirecting users to phishing sites, or defacing the website. The remote nature of the vulnerability means an attacker doesn't need to be on the same network as the server to exploit it. Given the public availability of the exploit, the risk of exploitation is elevated.
CVE-2026-3170 is currently considered a LOW severity vulnerability with a CVSS score of 2.4. A public proof-of-concept (PoC) is available, indicating a higher probability of exploitation. The vulnerability was disclosed on 2026-02-25. It is not currently listed on CISA KEV, but its public PoC status warrants monitoring.
Healthcare facilities and clinics using SourceCodester's Patients Waiting Area Queue Management System version 1.0 are at risk. Organizations with limited security expertise or those who haven't implemented robust input validation practices are particularly vulnerable. Shared hosting environments where multiple users share the same server resources are also at increased risk.
• php / web:
curl -I 'http://your-target-domain.com/patient-search.php?FirstName=<script>alert(1)</script>&LastName='• generic web:
grep -i '<script' /var/log/apache2/access.logdisclosure
Statut de l'Exploit
EPSS
0.03% (percentile 7%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-3170 is to upgrade to a patched version of the Patients Waiting Area Queue Management System as soon as it becomes available from SourceCodester. Until a patch is released, consider implementing input validation and sanitization on the First Name/Last Name fields in /patient-search.php to prevent the injection of malicious scripts. Web application firewalls (WAFs) can be configured to filter out potentially malicious requests containing XSS payloads. Regularly review and update security policies to ensure they address XSS vulnerabilities.
Mettre à jour vers une version corrigée du système de gestion de files d'attente de patients. Contactez le fournisseur pour obtenir une version corrigée ou appliquez les mesures de sécurité nécessaires pour éviter l'exécution de code XSS dans le fichier /patient-search.php.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-3170 is a cross-site scripting (XSS) vulnerability affecting SourceCodester's Patients Waiting Area Queue Management System version 1.0, allowing attackers to inject malicious scripts.
If you are using version 1.0 of Patients Waiting Area Queue Management System, you are potentially affected by this XSS vulnerability.
Upgrade to a patched version of the Patients Waiting Area Queue Management System as soon as it is available from the vendor. Implement input validation and WAF rules as temporary mitigations.
A public proof-of-concept exists, suggesting a higher probability of active exploitation. Monitor your systems for suspicious activity.
Check the SourceCodester website and relevant security mailing lists for the official advisory regarding CVE-2026-3170.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.