phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the username parameter.
An attacker submits crafted data in the 'username' parameter of the login form in the index.php file, which is included in the SQL query without proper validation or parameterization. This allows injection of arbitrary SQL instructions directly into the query executed by the database. The attack requires no authentication or user interaction.
An attacker can gain unauthorized access to the database, read, modify or delete sensitive patient and medical staff data, and under favorable conditions take full control of the system or database server.
Apply patches available from the vendor according to references. As interim measures, it is recommended to restrict system access only to trusted networks, implement WAF rules blocking SQL Injection attempts, and replace dynamic SQL queries with parameterized queries (prepared statements).
phpgurukul Hospital Management System version 4.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPhpgurukul Hospital Management System
APPPhpgurukul4.0
Related vulnerabilities
SQL Injection w phpgurukul Hospital Management System 4.0 (add-doctor.php)
RCE w Phpgurukul Hospital Management System v4.0 przez edit-profile.php
Nieograniczony upload plików w Hospital Management System V4.0
A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote atta...
Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Managemen...