Multiple vulnerabilities in Imaster products

Posted date 12/01/2026

Identificador

INCIBE-2026-015

Importance

5 - Critical

Affected Resources

MEMS Events CRM;
Patient Records Management System.

Description

INCIBE has coordinated the publication of four vulnerabilities, one critical, two high severity, and one medium severity, affecting Imaster's MEMS Events CRM and Patient Records Management System, business management programs. The vulnerabilities were discovered by Gonzalo Aguilar García (6h4ack).

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:

CVE-2025-41003: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
CVE-2025-41004 and CVE-2025-41005: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
CVE-2025-41006: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89

Solution

No solution has been reported at this time.

Detail

CVE-2025-41003: Imaster's Patient Record Management System contains a stored Cross-Site Scripting (XSS) vulnerability in the endpoint ‘/projects/hospital/admin/edit_patient.php’. By injecting a malicious script into the ‘firstname’ parameter, the JavaScript code is stored and executed every time a user accesses the patient list, allowing an attacker to execute arbitrary JavaScript in a victim's browser.
CVE-2025-41004: Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint ‘/projects/hospital/admin/complaints.php’ through the ‘id’ parameter.
Imaster's MEMS Events CRM contains an SQL injection vulnerability. The relationship between parameters and assigned identifiers is as follows:
- CVE-2025-41005: ‘keyword’ parameter in ‘/memsdemo/exchange_offers.php’.
- CVE-2025-41006: ‘phone’ parameter in ‘/memsdemo/login.php’.