CodeZips Hospital Management System SQL Injection Vulnerability in Version 1.0

A critical SQL injection vulnerability has been identified in CodeZips Hospital Management System version 1.0. The issue resides in the file '/suadpeted.php', where the application fails to properly validate the 'id' parameter. This lack of input sanitization allows attackers to inject malicious SQL statements, potentially leading to unauthorized database access, manipulation or deletion of data, and exposure of sensitive information. The vulnerability can be exploited remotely but requires authentication.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to interfere with the application's database queries. This could result in unauthorized data access, data manipulation or deletion, and exposure of confidential information.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the '/suadpeted.php' file. Once there, manipulate the 'id' parameter by injecting malicious SQL code. The application will execute the injected SQL, demonstrating the vulnerability.