CodeAstro Patient Record Management System Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in CodeAstro Patient Record Management System version 1.0. This vulnerability allows an attacker to manipulate an authenticated user into submitting crafted POST data, which can lead to unauthorized actions such as searching records without the user's knowledge. The vulnerability exists in the viewRecord.php endpoint and can be exploited remotely, without authentication, although it requires user interaction.

Impact

Exploitation of this vulnerability allows for cross-site request forgery, where an attacker can trick an authenticated user into performing actions without their consent, potentially leading to unauthorized access or manipulation of patient records.

Reproduction

To reproduce this vulnerability, an authenticated user must be induced to interact with a crafted link or form that submits POST data to the viewRecord.php endpoint. This can be done by embedding the CSRF payload in a way that exploits the user's session with the application.