SourceCodester Hospitals Patient Records Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability exists in SourceCodester Hospitals Patient Records Management System version 1.0. The issue is located in the admin page for viewing patient details, specifically within the 'remarks' parameter. This vulnerability allows remote attackers to inject malicious scripts that are executed in the context of the user's browser. The lack of proper input validation and output encoding enables this exploitation.

Impact

Exploitation of this vulnerability allows attackers to execute scripts in the victim's browser, potentially leading to the theft of cookies, session tokens, or other sensitive information. This could also allow attackers to perform actions on behalf of the victim, deface web pages, redirect users to malicious sites, or gain control over the victim's browser.

Reproduction

To reproduce this vulnerability, navigate to the admin patient view page and inject a script payload into the 'remarks' parameter. The injected script will be executed in the context of the user's browser.

Remediation

To address this vulnerability, implement proper output encoding for user inputs, especially in the 'remarks' parameter. Validate and filter input data to reject or escape potentially malicious content. Consider using a Content Security Policy (CSP) to restrict script execution sources, and set secure and HttpOnly flags for sensitive cookies. Regular security audits can help identify and fix such vulnerabilities.