| Title | SourceCodester Patients Waiting Area Queue Management System 1.0 SQL Injection |
|---|
| Description | The application is vulnerable to SQL Injection (CWE-89) because appointment reference input from the check-in workflow is directly concatenated into backend SQL queries instead of being safely parameterized. As a result, attacker-controlled input can alter query logic and bypass intended filtering. During authorized testing, this weakness led to unauthorized database information extraction, confirming real-world impact on data confidentiality. The issue affects appointment lookup logic in api_patient_schedule.php and api_patient_checkin.php, where prepared statements are not used. Given confirmed data disclosure, severity should be treated as Critical until remediated. |
|---|
| Source | ⚠️ https://www.notion.so/Patients-Waiting-Area-Queue-Management-System-32de7248353d80fa898de0401ec2dea9 |
|---|
| User | himanshuh4cker (UID 96758) |
|---|
| Submission | 03/27/2026 10:08 (14 days ago) |
|---|
| Moderation | 04/08/2026 21:11 (12 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 332350 [SourceCodester Patients Waiting Area Queue Management System 1.0 api_patient_checkin.php getPatientAppointment appointmentID sql injection] |
|---|
| Points | 0 |
|---|