CVE-2024-11073 – This CVE describes an Insecure Direct Object Re... (How to Fix)

Q: What is the severity of CVE-2024-11073?

CVE-2024-11073 has a CVSS score of 4.3 (MEDIUM). This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in SourceCodester Hospital Management System 1.0. Attackers can remotely delete any patient account by manipulating the 'id' parameter in the /vm/patient/delete-account.php file without proper authorization checks. All deployments of this specific software version are affected.

📋 TL;DR

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in SourceCodester Hospital Management System 1.0. Attackers can remotely delete any patient account by manipulating the 'id' parameter in the /vm/patient/delete-account.php file without proper authorization checks. All deployments of this specific software version are affected.

💻 Affected Systems

Products:

SourceCodester Hospital Management System

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of version 1.0. The vulnerability is in the application code, not dependent on specific OS or web server configuration.

📦 What is this software?

Hospital Management System by Mayurik

View all CVEs affecting Hospital Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass deletion of all patient records, causing complete data loss and service disruption in hospital operations.

🟠

Likely Case

Targeted deletion of specific patient accounts, potentially for extortion, sabotage, or covering up medical fraud.

🟢

If Mitigated

Unauthorized deletion attempts are logged and blocked, with minimal impact on legitimate operations.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit details are available.

🏢 Internal Only: MEDIUM - Internal attackers could abuse this, but external threat is more significant due to remote exploitability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication but bypasses authorization checks. Public GitHub repository contains detailed exploitation methodology.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider implementing custom fixes or migrating to alternative software.

🔧 Temporary Workarounds

Implement Proper Authorization Checks

all

Add server-side authorization validation to ensure users can only delete their own accounts or accounts they're authorized to manage.

Modify /vm/patient/delete-account.php to include session validation and user permission checks before processing deletion

Web Application Firewall Rule

all

Block suspicious delete-account.php requests with manipulated ID parameters.

WAF rule: Block requests to /vm/patient/delete-account.php where id parameter doesn't match current user's authorized patient IDs

🧯 If You Can't Patch

Implement network segmentation to restrict access to the Hospital Management System from untrusted networks.
Enable detailed logging of all delete-account.php requests and implement real-time alerting for suspicious deletion patterns.

🔍 How to Verify

Check if Vulnerable:

Test by logging in as one user and attempting to delete another user's account by modifying the 'id' parameter in delete-account.php requests.

Check Version:

Check application version in admin panel or review source code comments for version information.

Verify Fix Applied:

After implementing authorization checks, verify that users can only delete their own accounts or accounts they're explicitly authorized to manage.

📡 Detection & Monitoring

Log Indicators:

Multiple DELETE requests to /vm/patient/delete-account.php with different id parameters from same user session
Rapid succession of account deletion requests

Network Indicators:

HTTP POST requests to /vm/patient/delete-account.php with manipulated id parameters
Unusual patterns of account deletion activity

SIEM Query:

source="web_server_logs" AND uri_path="/vm/patient/delete-account.php" AND (id_parameter_changes > threshold OR deletion_rate > normal)

📊 Metadata

CVE ID: CVE-2024-11073

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-266

Published: November 11, 2024

Last Updated: November 18, 2024

🔗 References

https://drive.google.com/file/d/1yFo0re8taTry7oR4-EDg3UHwO2lkqO9N/view?usp=sharing Exploit
https://github.com/Salah-Tayeh/CVEs-and-Vulnerabilities/blob/main/Hospital%20Management%20System%20-%20IDOR%20Causing%20Deletion%20of%20any%20patient%20account.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.283869 Permissions Required,VDB Entry
https://vuldb.com/?id.283869 Permissions Required,VDB Entry
https://vuldb.com/?submit.440799 Exploit,Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11073, you might also want to check these: