CVE-2022-22850 in Hospital Patient Records Management System
Summary
by MITRE • 01/26/2022
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_types.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/26/2026
The vulnerability identified as CVE-2022-22850 represents a critical stored cross site scripting flaw within the Sourcecodtester Hospital Patient Records Management System version 1.0. This vulnerability specifically manifests through the description parameter within the room_types functionality, creating a persistent security risk that can affect multiple users who interact with the system. The issue stems from inadequate input validation and output sanitization mechanisms that fail to properly escape or filter malicious script content submitted by users.
The technical implementation of this vulnerability allows an attacker to inject malicious javascript code through the description field when creating or modifying room types within the hospital management system. When other users subsequently view these room type entries, the injected scripts execute in their browser context, potentially leading to session hijacking, credential theft, or further exploitation of the compromised system. The stored nature of this vulnerability means that the malicious code persists in the database and affects all users who access the affected pages without requiring repeated injection attempts.
From an operational perspective, this vulnerability poses significant risks to healthcare data integrity and patient privacy within the hospital environment. The attack surface is particularly concerning given that hospital management systems contain sensitive patient information and critical operational data. The vulnerability can be exploited by attackers with minimal privileges to access or manipulate the system, potentially leading to unauthorized access to patient records, disruption of medical services, or creation of backdoors for persistent access. This aligns with CWE-79 which categorizes cross site scripting vulnerabilities as a primary concern for web application security.
The impact of this vulnerability extends beyond immediate script execution as it can serve as a foothold for more sophisticated attacks within the healthcare network. Attackers may leverage the initial XSS payload to perform actions such as stealing session cookies, redirecting users to malicious sites, or even executing more complex attacks through the compromised user context. This vulnerability directly maps to several ATT&CK techniques including T1566 for social engineering and T1071 for application layer protocol usage, as attackers can craft malicious payloads that exploit the web application's trust in user input.
Mitigation strategies should focus on implementing comprehensive input validation and output encoding mechanisms throughout the application. The system must sanitize all user inputs, particularly those stored in database fields, using context-appropriate encoding methods such as HTML entity encoding for web content. Additionally, implementing proper content security policies and employing web application firewalls can provide additional layers of protection. Regular security testing including automated scanning and manual penetration testing should be conducted to identify similar vulnerabilities in other application components. The implementation of secure coding practices and regular security training for developers is essential to prevent similar issues in future releases and aligns with industry standards for healthcare information system security.