CVE-2024-56990 – PHPGurukul Hospital Management System 4.0 conta... (How to Fix)

Q: What is the severity of CVE-2024-56990?

CVE-2024-56990 has a CVSS score of 4.5 (MEDIUM). PHPGurukul Hospital Management System 4.0 contains stored cross-site scripting vulnerabilities in patient history and admin view pages. Attackers can inject malicious scripts that execute when legitimate users access these pages. This affects all users of the vulnerable system, particularly healthcare staff accessing patient records.

📋 TL;DR

PHPGurukul Hospital Management System 4.0 contains stored cross-site scripting vulnerabilities in patient history and admin view pages. Attackers can inject malicious scripts that execute when legitimate users access these pages. This affects all users of the vulnerable system, particularly healthcare staff accessing patient records.

💻 Affected Systems

Products:

PHPGurukul Hospital Management System

Versions: 4.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation. Requires user interaction to trigger stored XSS payloads.

📦 What is this software?

Hospital Management System by Phpgurukul

View all CVEs affecting Hospital Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions as authenticated users, or compromise patient data confidentiality.

🟠

Likely Case

Session hijacking leading to unauthorized access to patient records and system functionality.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Public proof-of-concept available on GitHub. Exploitation requires authentication to inject XSS payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Implement input validation and output encoding in /view-medhistory.php and /admin/view-patient.php files.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement proper input validation and HTML entity encoding for user-supplied data in affected files

Edit PHP files to add htmlspecialchars() or similar encoding functions around user inputs

Content Security Policy

all

Implement Content Security Policy headers to restrict script execution

Add header("Content-Security-Policy: default-src 'self'") to PHP files

🧯 If You Can't Patch

Restrict access to affected pages using web application firewall rules
Implement strict input validation at application layer for all user inputs

🔍 How to Verify

Check if Vulnerable:

Test by injecting XSS payloads into patient data fields and checking if scripts execute when viewing affected pages

Check Version:

Check system version in admin panel or configuration files

Verify Fix Applied:

Attempt to inject XSS payloads and verify they are properly encoded/escaped in output

📡 Detection & Monitoring

Log Indicators:

Unusual script tags or JavaScript in patient data fields
Multiple failed XSS attempts in logs

Network Indicators:

Malicious script injection in HTTP POST requests to patient data endpoints

SIEM Query:

source="web_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=") AND ("view-medhistory.php" OR "view-patient.php")

📊 Metadata

CVE ID: CVE-2024-56990

CVSS v3 Score: 4.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-79

EPSS Score: 0.12% exploit probability (30.7th percentile)

Published: January 21, 2025

Last Updated: April 9, 2025

🔗 References

https://github.com/kirito999/HMS_stored_XSS/blob/main/stored%20XSS1%20%20in%20HMS4.0/stored%20XSS%20%20in%20HMS.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-56990, you might also want to check these: