Platform
php
Component
patients-waiting-area-queue-management-system
Opgelost in
1.0.1
1.0.1
CVE-2026-1147 describes a cross-site scripting (XSS) vulnerability discovered in the Patients Waiting Area Queue Management System, specifically affecting version 1.0. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides within the /php/apipatientschedule.php file, and exploitation can be initiated remotely. A public proof-of-concept is available, highlighting the potential for immediate exploitation.
The primary impact of CVE-2026-1147 is the potential for cross-site scripting (XSS) attacks. An attacker can inject malicious JavaScript code into the application, which will then be executed in the context of a user's browser. This can lead to various consequences, including session hijacking, redirection to malicious websites, and the theft of sensitive information such as login credentials or personal data. Given the public availability of a proof-of-concept, the risk of exploitation is elevated, particularly for systems that are not promptly patched. The attack vector is remote, meaning an attacker does not need to be on the same network as the vulnerable system.
CVE-2026-1147 has been publicly disclosed and a proof-of-concept is available, indicating a moderate risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score reflects the relatively simple exploitation process and the potential for limited impact, although the public PoC significantly increases the likelihood of exploitation. Active campaigns targeting this specific vulnerability are not currently confirmed, but the public availability of the exploit makes it a potential target for opportunistic attackers.
Healthcare facilities and clinics utilizing the Patients Waiting Area Queue Management System version 1.0 are at immediate risk. Shared hosting environments where multiple users share the same server are particularly vulnerable, as an attacker could potentially compromise other applications on the same server through this XSS vulnerability. Organizations relying on this system for patient management and scheduling are also at risk.
• generic web: Use curl to test the /php/apipatientschedule.php endpoint with a malicious payload in the 'Reason' parameter. Check the response for signs of script execution.
curl 'http://your-target-url/php/api_patient_schedule.php?Reason=<script>alert("XSS")</script>' • generic web: Examine access and error logs for suspicious requests targeting /php/apipatientschedule.php with unusual parameters.
• php: Review the source code of /php/apipatientschedule.php for inadequate input validation or output encoding of the 'Reason' parameter.
disclosure
Exploit Status
EPSS
0.03% (8% percentiel)
CISA SSVC
CVSS-vector
The recommended mitigation for CVE-2026-1147 is to upgrade to a patched version of the Patients Waiting Area Queue Management System. Since a fixed version is not specified, immediate action is crucial. As an interim measure, implement a Web Application Firewall (WAF) rule to filter or sanitize user input to the 'Reason' parameter in /php/apipatientschedule.php. Carefully review and validate all user-supplied data before rendering it in the application. Consider implementing input validation and output encoding techniques to prevent XSS attacks. After implementing mitigation steps, thoroughly test the application to ensure that the vulnerability has been effectively addressed.
Werk bij naar een gepatchte versie van het patiëntenwachtrijbeheersysteem. Neem contact op met de leverancier voor een gecorrigeerde versie of pas de nodige beveiligingsmaatregelen toe om XSS-aanvallen te voorkomen, zoals het sanitiseren van gebruikersinvoer.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-1147 is a cross-site scripting (XSS) vulnerability in SourceCodester's Patients Waiting Area Queue Management System version 1.0, allowing attackers to inject malicious scripts via the 'Reason' parameter.
If you are using Patients Waiting Area Queue Management System version 1.0, you are potentially affected by this vulnerability. Immediate action is required.
Upgrade to a patched version of the Patients Waiting Area Queue Management System. Until a patch is available, implement WAF rules and input validation to mitigate the risk.
While active campaigns are not confirmed, a public proof-of-concept exists, increasing the likelihood of exploitation.
Refer to the SourceCodester website or relevant security forums for updates and advisories regarding CVE-2026-1147.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.