Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in Clinic Queuing System

Posted date 28/03/2025
Identificador
INCIBE-2025-0163
Importance
3 - Medium
Affected Resources

Clinic Queuing System, 1.0 version.

Description

INCIBE has coordinated the publication of 3 vulnerabilities of medium severity, affecting the Clinic Queuing System, a system that manages the daily flow of clinical patient queues. The vulnerabilities have been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • from CVE-2025-2868 to CVE-2025-2870: CVSS v4.0: 4.8 | CVSS AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N  | CWE-79
Solution

There is no reported solution at this time. 

Detail

Reflected Cross-Site Scripting (XSS) vulnerability in version 1.0 of the Clinic Queuing System. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL. The list of assigned parameters and identifiers is as follows:

  • CVE-2025-2868: page parameter in /index.php;
  • CVE-2025-2869: id parameter in /manage_user.php;
  • CVE-2025-2870: page parameter in /patient_side.php.
References list
Product website
Etiquetas