Impact
A SQL injection vulnerability exists in the appointment.php file of itsourcecode Hospital Management System 1.0. The flaw is triggered by manipulating the editid parameter. This allows an unauthenticated or authenticated remote attacker to inject arbitrary SQL statements. When successful, the attacker can read, modify, or delete any database content, potentially reaching sensitive patient records and administrative credentials. The vulnerability aligns with CWE‑89 and CWE‑74, indicating improper parameter handling in SQL contexts.
Affected Systems
The affected system is itsourcecode Hospital Management System version 1.0, specifically the appointment.php component. Current publicly reported data only references this version; no other releases have been cited as impacted.
Risk and Exploitability
The CVSS score of 5.3 indicates a medium severity condition, and the EPSS score is not available, so the definitive probability of exploitation is uncertain. The vulnerability is not listed in CISA’s KEV catalog, suggesting it has not yet been widely abused. The attack vector is remote, based on unauthorized manipulation of a web parameter. Exploitation requires sending a crafted editid value to the appointment.php endpoint, which can be done over the public internet if the application is exposed.
OpenCVE Enrichment