phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in add-doctor.php via the docname parameter.
The vulnerability results from insufficient validation and sanitization of user input data passed to the docname parameter in the add-doctor.php file. An attacker can inject malicious SQL code directly into the query executed by the database, allowing manipulation of query logic. The attack can be performed remotely without the need to possess any privileges or user interaction.
An attacker can gain unauthorized access to sensitive data stored in the database (including patient and medical staff data), modify or delete records, and under favorable conditions lead to complete loss of system availability.
Patches available from the vendor should be applied in accordance with the references. Additionally, it is recommended to implement parameterized SQL queries (prepared statements) and restrict access to sensitive application files at the web server level.
phpgurukul Hospital Management System version 4.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPhpgurukul Hospital Management System
APPPhpgurukul4.0
Related vulnerabilities
SQL Injection w phpgurukul Hospital Management System 4.0 (parametr username)
RCE w Phpgurukul Hospital Management System v4.0 przez edit-profile.php
Nieograniczony upload plików w Hospital Management System V4.0
A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote atta...
Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Managemen...