SourceCodester PQMS SQL Injection Vulnerability
Vulnerability
A SQL injection vulnerability has been identified in SourceCodester's Patient Queue Management System (PQMS) version 1.0. The issue resides in the api_patient_schedule.php endpoint, where the appointmentID parameter is inadequately sanitized, enabling attackers to execute arbitrary SQL commands. This vulnerability can be exploited remotely without authentication by sending crafted SQL injection payloads through direct HTTP requests or via the Appointment ID input field in the patient check-in interface.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, send a HTTP GET request to the api_patient_schedule.php endpoint with a crafted SQL injection payload in the appointmentID parameter. Alternatively, log into the application and use the Appointment ID input field in the patient check-in interface to inject the SQL payload.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.