CVE-2024-10199 in Pharmacy Management System
Summary
by MITRE • 10/21/2024
A vulnerability was found in code-projects Pharmacy Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /manage_medicine.php of the component Manage Medicines Page. The manipulation of the argument name/address/doctor_address/suppliers_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions contradicting files to be affected.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/03/2025
This vulnerability resides within the code-projects Pharmacy Management System version 1.0, specifically targeting the manage_medicine.php file which serves as the Manage Medicines Page component. The cross-site scripting flaw manifests when user-supplied input is improperly handled in parameters including name, address, doctor_address, and suppliers_name fields. This represents a classic reflected cross-site scripting vulnerability where malicious payloads can be injected through these input vectors and subsequently executed in the context of other users' browsers. The vulnerability's classification as problematic indicates a significant security risk that could compromise the integrity of the application's user interactions and potentially lead to unauthorized access or data theft.
The technical exploitation of this vulnerability occurs through remote attack vectors, meaning malicious actors can trigger the XSS payload without requiring physical access to the system. The disclosed exploit demonstrates that attackers can craft malicious input strings containing javascript code that gets reflected back to users browsing the pharmacy management interface. This type of vulnerability falls under CWE-79 which specifically addresses Cross-site Scripting flaws in software applications. The reflected nature of the vulnerability means that the malicious script is executed immediately when a user visits a specially crafted URL containing the payload, making it particularly dangerous for web applications handling sensitive medical information.
The operational impact of this vulnerability extends beyond simple script execution as it could enable attackers to perform session hijacking, steal sensitive patient data, manipulate medical records, or redirect users to malicious websites. Given that this is a pharmacy management system, the potential for data breaches involving protected health information is particularly concerning. The vulnerability affects the core functionality of managing medicines within the system, which could disrupt legitimate business operations while providing attackers with unauthorized access to critical medical data. This aligns with ATT&CK technique T1531 which focuses on use of unauthorized system features for data exfiltration and manipulation.
The contradiction mentioned in the initial researcher advisory regarding affected files suggests potential confusion in the vulnerability assessment or indicates that the flaw may extend beyond the initially identified file. This uncertainty in the affected components increases the risk surface area and requires comprehensive testing of all input handling mechanisms within the pharmacy management system. Organizations should implement immediate mitigations including input validation, output encoding, and proper sanitization of all user-supplied data. The vulnerability also highlights the need for regular security assessments of web applications handling sensitive data, particularly those in healthcare environments where data protection regulations such as HIPAA compliance are paramount.