PHPGurukul Hospital Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Hospital Management System version 4.0. The issue resides in the 'Email' parameter of the '/doctor/index.php' file. This vulnerability allows for the injection of malicious scripts, which can be executed in the context of the user.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute malicious scripts in the user's browser.

Reproduction

To reproduce this vulnerability, navigate to the '/doctor/index.php' page. No authentication is required. In the 'Email' field, enter a script payload, such as a script tag containing JavaScript code, such as an alert. The password can be any string that meets the requirements. After submitting the login form, the injected script will be executed. To trigger the XSS, log in as an admin and go to 'admin/doctor-logs.php', where the injected script will execute.