Plataforma
php
Componente
patients-waiting-area-queue-management-system
Corrigido em
1.0.1
1.0.1
CVE-2026-1146 describes a cross-site scripting (XSS) vulnerability discovered in the Patients Waiting Area Queue Management System, specifically affecting version 1.0. This flaw allows attackers to inject malicious scripts into the application via manipulation of the firstName/lastName parameters within the /php/apiregisterpatient.php file. The vulnerability is remotely exploitable and has been publicly disclosed, potentially increasing the risk of exploitation.
Successful exploitation of CVE-2026-1146 allows an attacker to inject arbitrary JavaScript code into the Patients Waiting Area Queue Management System. This can lead to various malicious outcomes, including session hijacking, defacement of the application's interface, and redirection of users to phishing sites. The attacker could potentially steal sensitive user data, such as patient information, if it's displayed or processed within the application. While the CVSS score is LOW, the ease of exploitation and potential for user interaction make it a concerning risk, especially in environments where the application handles sensitive data or is integrated with other systems.
CVE-2026-1146 was publicly disclosed on 2026-01-19. A public proof-of-concept (PoC) is likely to be available given the public disclosure. The vulnerability's LOW CVSS score suggests a relatively simple exploitation path, but the public availability of the vulnerability increases the likelihood of exploitation attempts. No KEV listing or confirmed exploitation campaigns are currently known.
Healthcare facilities and organizations utilizing the Patients Waiting Area Queue Management System version 1.0 are at risk. This includes clinics, hospitals, and other medical institutions that rely on this system for patient queue management. Shared hosting environments where multiple websites share the same server resources are particularly vulnerable, as a compromise of one website could potentially impact others.
• php / web:
grep -r "firstName/lastName" /var/www/html/Patients Waiting Area Queue Management System/• generic web:
curl -I http://your-server/php/api_register_patient.php?firstName=<script>alert(1)</script>&lastName=test• generic web: Examine access logs for requests to /php/apiregisterpatient.php containing suspicious characters in the firstName or lastName parameters (e.g., <script>, javascript:, onerror=).
disclosure
Status do Exploit
EPSS
0.03% (percentil 8%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-1146 is to upgrade to a patched version of the Patients Waiting Area Queue Management System as soon as it becomes available. Until a patch is released, consider implementing input validation and sanitization on the firstName and lastName parameters within the /php/apiregisterpatient.php file. This can help prevent malicious code from being injected. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Regularly review and update your WAF rules to ensure they are effective against known XSS patterns.
Atualizar para uma versão corrigida do sistema de gestão de colas de pacientes. Contacte o fornecedor para obter uma versão corrigida ou implemente medidas de saneamento de entrada para os campos firstName e lastName no arquivo /php/api_register_patient.php para evitar a execução de código XSS (Cross Site Scripting).
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-1146 is a cross-site scripting (XSS) vulnerability in SourceCodester's Patients Waiting Area Queue Management System version 1.0, affecting the /php/apiregisterpatient.php file. Attackers can inject malicious scripts via manipulated firstName/lastName arguments.
If you are using Patients Waiting Area Queue Management System version 1.0, you are potentially affected by this XSS vulnerability. Upgrade to a patched version as soon as available.
The recommended fix is to upgrade to a patched version of the Patients Waiting Area Queue Management System. Until a patch is released, implement input validation and sanitization on the firstName and lastName parameters.
While no confirmed exploitation campaigns are currently known, the vulnerability has been publicly disclosed, increasing the risk of exploitation attempts.
Refer to the SourceCodester website and relevant security forums for updates and advisories regarding CVE-2026-1146.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.