SourceCodester Patients Waiting Area Queue Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Patients Waiting Area Queue Management System version 1.0. The issue resides in the public queue monitor file 'queue.php', where unsanitized patient names are retrieved from the database and displayed directly on the public monitor. This flaw allows attackers to inject malicious JavaScript payloads, which are executed in the browsers of users viewing the queue. The vulnerability poses a significant risk, especially on public-facing kiosks, as it enables persistent script execution and could compromise administrative sessions if the affected queue is viewed by staff.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed automatically for users viewing the public queue. This could lead to session hijacking of administrators, defacement of the queue display, or disruption of service by causing the public monitor to display erroneous information.

Reproduction

To reproduce this vulnerability, register a new patient through the application’s registration page. Input a JavaScript payload, such as an image tag with an 'onerror' event, into the first name or last name fields. After registration, navigate to the public queue page, where the injected script will execute immediately. The payload will remain visible in the queue table after the alert is closed.