| Title | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross Site Scripting |
|---|
| Description | PQMS-XSS-02 (pqms/php/api_patient_schedule.php → reason)
Title: Stored Cross-Site Scripting via Appointment Reason Field
What is the vulnerability?
The appointment scheduling endpoint (pqms/php/api_patient_schedule.php) stores the reason field and later renders it in dashboard.php without proper output encoding, resulting in Stored XSS.
Proof of Concept:
<script>alert('XSS')</script> |
|---|
| User | bobsux (UID 94358) |
|---|
| Submission | 01/09/2026 08:11 PM (1 month ago) |
|---|
| Moderation | 01/18/2026 02:50 PM (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 341740 [SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0 api_patient_schedule.php Reason cross site scripting] |
|---|
| Points | 17 |
|---|