SourceCodester Patients Waiting Area Queue Management System Improper Authorization Vulnerability in Check-in Feature

An improper authorization vulnerability has been identified in SourceCodester Patients Waiting Area Queue Management System version 1.0. The issue resides in the check-in feature, specifically within the checkin.php file. The vulnerability allows authenticated users to manipulate the patient_id parameter to submit queue entries on behalf of other patients, without proper validation of authorization. This weakness can be exploited remotely, leading to unauthorized actions and potential disruption in clinical workflows.

Impact

Exploitation of this vulnerability allows for unauthorized queue submissions on behalf of other patients, impersonation within the system's workflow, and manipulation of waiting room records. This could disrupt clinical operations and pose compliance and privacy risks in a healthcare context.

Reproduction

To reproduce this vulnerability, log in with staff credentials and navigate to the Waiting Room dashboard. Register a new patient, which will redirect to the checkin.php page. After checking in the patient, manually change the patient_id parameter in the URL to a different patient's ID and submit the check-in form. The dashboard will reflect the check-in under the new patient's name, confirming the vulnerability.