プラットフォーム
php
コンポーネント
e2953222b47c29c8c69855f5d623267d
修正版
1.0.1
1.0.1
CVE-2026-3170 describes a cross-site scripting (XSS) vulnerability discovered in SourceCodester's Patients Waiting Area Queue Management System. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or other client-side attacks. The vulnerability impacts version 1.0 of the system and is triggered by manipulating the First Name/Last Name arguments within the /patient-search.php file. A patch is expected from the vendor.
The XSS vulnerability in Patients Waiting Area Queue Management System allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited by crafting malicious URLs containing the injected script, which are then executed in the context of a user's browser when they visit the affected page. Successful exploitation could lead to an attacker stealing session cookies, redirecting users to phishing sites, or defacing the website. The remote nature of the vulnerability means an attacker doesn't need to be on the same network as the server to exploit it. Given the public availability of the exploit, the risk of exploitation is elevated.
CVE-2026-3170 is currently considered a LOW severity vulnerability with a CVSS score of 2.4. A public proof-of-concept (PoC) is available, indicating a higher probability of exploitation. The vulnerability was disclosed on 2026-02-25. It is not currently listed on CISA KEV, but its public PoC status warrants monitoring.
Healthcare facilities and clinics using SourceCodester's Patients Waiting Area Queue Management System version 1.0 are at risk. Organizations with limited security expertise or those who haven't implemented robust input validation practices are particularly vulnerable. Shared hosting environments where multiple users share the same server resources are also at increased risk.
• php / web:
curl -I 'http://your-target-domain.com/patient-search.php?FirstName=<script>alert(1)</script>&LastName='• generic web:
grep -i '<script' /var/log/apache2/access.logdisclosure
エクスプロイト状況
EPSS
0.03% (7% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-3170 is to upgrade to a patched version of the Patients Waiting Area Queue Management System as soon as it becomes available from SourceCodester. Until a patch is released, consider implementing input validation and sanitization on the First Name/Last Name fields in /patient-search.php to prevent the injection of malicious scripts. Web application firewalls (WAFs) can be configured to filter out potentially malicious requests containing XSS payloads. Regularly review and update security policies to ensure they address XSS vulnerabilities.
患者待ち行列管理システムをパッチ適用されたバージョンにアップデートしてください。修正されたバージョンを入手するためにベンダーに連絡するか、/patient-search.php ファイルで XSS コードの実行を防ぐために必要なセキュリティ対策を適用してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3170 is a cross-site scripting (XSS) vulnerability affecting SourceCodester's Patients Waiting Area Queue Management System version 1.0, allowing attackers to inject malicious scripts.
If you are using version 1.0 of Patients Waiting Area Queue Management System, you are potentially affected by this XSS vulnerability.
Upgrade to a patched version of the Patients Waiting Area Queue Management System as soon as it is available from the vendor. Implement input validation and WAF rules as temporary mitigations.
A public proof-of-concept exists, suggesting a higher probability of active exploitation. Monitor your systems for suspicious activity.
Check the SourceCodester website and relevant security mailing lists for the official advisory regarding CVE-2026-3170.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。