SourceCodester Patients Waiting Area Queue Management System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Patients Waiting Area Queue Management System version 1.0. The issue arises in the file '/php/api_register_patient.php', where the 'firstName' and 'lastName' registration fields are not properly sanitized before being saved to the database. This unsanitized input is later displayed in 'queue.php' and 'dashboard.php', allowing for the injection of malicious scripts. The vulnerability can be exploited remotely and requires user interaction.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, register a patient through the application’s registration form. Input a script payload in the 'firstName' or 'lastName' fields. Once the data is submitted, the injected script will be executed when the information is displayed on 'queue.php' or 'dashboard.php'.