SourceCodester Patients Waiting Area Queue Management System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Patients Waiting Area Queue Management System version 1.0. The issue resides in the 'Find Patient' module, specifically within the 'patient-search.php' file. The vulnerability arises because the application does not properly sanitize patient registration data, particularly the First Name and Last Name fields, before saving it to the database. This lack of sanitization allows remote attackers to inject malicious payloads, which are then executed in the context of the user's browser when they access the search results.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the search results. This could lead to session hijacking, unauthorized access to data, or takeover of administrative accounts.

Reproduction

To reproduce this vulnerability, register a patient using the First Name or Last Name fields with a payload that includes a script, such as an image tag with an 'onerror' event. After the payload is saved in the database, navigate to the 'Find Patient' module at 'patient-search.php'. The injected script will execute, demonstrating the cross-site scripting vulnerability.