Impact
The flaw lies in a legacy PHP script that accepts an unvalidated medicineid argument, allowing an attacker to inject arbitrary SQL. The injection can be carried out remotely and has been made public. Successful exploitation would compromise the confidentiality and integrity of medication records, permitting data read, alteration or deletion.
Affected Systems
The vulnerability affects itsourcecode Hospital Management System version 1.0. No other versions or products are listed as affected.
Risk and Exploitability
The CVSS score of 5.3 places this issue in the medium severity range. The EPSS score is not available, but the existence of a public exploit and the ability to target the system remotely increase the practical risk. The vulnerability is not listed in the CISA KEV catalog. An attacker would send a request to the ajaxmedicine.php endpoint with a crafted medicineid value to execute arbitrary SQL queries against the hosted database.
OpenCVE Enrichment