CVE-2023-39852 — CRITICAL (9.8)

Vulnerability Description

Doctormms v1.0 was discovered to contain a SQL injection vulnerability via the $userid parameter at myAppoinment.php. NOTE: this is disputed by a third party who claims that the userid is a session variable controlled by the server, and thus cannot be used for exploitation. The original reporter counterclaims that this originates from $_SESSION["userid"]=$_POST["userid"] at line 68 in doctors\doctorlogin.php, where userid under POST is not a session variable controlled by the server.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Doctor Appointment System Project	Doctor Appointment System	1.0

Related Weaknesses (CWE)

CWE-89

References

https://github.com/KLSEHB/vulnerability-report/blob/main/Doctormms_CVE-2023-3985ExploitThird Party Advisory
https://www.sourcecodester.com/php/14182/doctor-appointment-system.htmlProduct
https://github.com/KLSEHB/vulnerability-report/blob/main/Doctormms_CVE-2023-3985ExploitThird Party Advisory
https://www.sourcecodester.com/php/14182/doctor-appointment-system.htmlProduct

FAQ

What is CVE-2023-39852?

CVE-2023-39852 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Doctormms v1.0 was discovered to contain a SQL injection vulnerability via the $userid parameter at myAppoinment.php. NOTE: this is disputed by a third party who claims that the userid is a session va...

How severe is CVE-2023-39852?

CVE-2023-39852 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-39852?

Check the references section above for vendor advisories and patch information. Affected products include: Doctor Appointment System Project Doctor Appointment System.