Hospital Management System (HMS) is a computer system that helps manage health care-related information and helps health care providers do their jobs efficiently. hospital Management System v4.0 contains a cross-site scripting vulnerability that originates in the view-patient .php and view-medhistory.php files, several POST parameters are used directly in INSERT SQL queries without any type of escaping or cleanup, and an attacker can exploit this vulnerability to inject malicious Javascript into the database and steal session cookies from users and administrators.