CVE-2025-10618 – This SQL injection vulnerability in itsourcecod... (How to Fix)

Q: What is the severity of CVE-2025-10618?

CVE-2025-10618 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in itsourcecode Online Clinic Management System 1.0 allows attackers to manipulate database queries through the firstname parameter in transact.php. The vulnerability can be exploited remotely without authentication, potentially compromising sensitive medical data. All users running version 1.0 are affected.

📋 TL;DR

This SQL injection vulnerability in itsourcecode Online Clinic Management System 1.0 allows attackers to manipulate database queries through the firstname parameter in transact.php. The vulnerability can be exploited remotely without authentication, potentially compromising sensitive medical data. All users running version 1.0 are affected.

💻 Affected Systems

Products:

itsourcecode Online Clinic Management System

Versions: 1.0

Operating Systems: Any OS running PHP and MySQL

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. The transact.php file handles user transactions and is typically accessible via web interface.

📦 What is this software?

Online Clinic Management System by Angeljudesuarez

View all CVEs affecting Online Clinic Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including patient medical records, appointment data, and administrative credentials leading to data theft, system takeover, and potential healthcare service disruption.

🟠

Likely Case

Unauthorized access to patient data, modification of clinic records, and potential extraction of sensitive information from the database.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or partial data exposure.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access, reducing exposure compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept demonstrates time-based SQL injection. Multiple parameters may be vulnerable beyond firstname as noted in the description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: UNKNOWN

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider migrating to a supported system or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

PHP

Implement parameterized queries and input validation for all user inputs in transact.php

Modify transact.php to use prepared statements: $stmt = $conn->prepare('SELECT * FROM users WHERE firstname = ?'); $stmt->bind_param('s', $firstname);

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting transact.php parameters

Add WAF rule: Block requests to transact.php containing SQL keywords in firstname parameter

🧯 If You Can't Patch

Isolate the system behind a firewall with strict access controls
Implement network segmentation to limit database server access

🔍 How to Verify

Check if Vulnerable:

Test transact.php with SQL injection payloads in firstname parameter and observe database errors or time delays

Check Version:

Check system documentation or about page for version information

Verify Fix Applied:

Test with same payloads after fixes - should receive proper error handling without database interaction

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts via transact.php
Long response times from transact.php requests

Network Indicators:

SQL keywords in GET/POST parameters to transact.php
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/transact.php" AND (param="firstname" AND value MATCH "'.*[UNION|SELECT|SLEEP].*'")

📊 Metadata

CVE ID: CVE-2025-10618

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.02% exploit probability (4th percentile)

Published: September 17, 2025

Last Updated: September 20, 2025

🔗 References

https://github.com/drew-byte/Online-Clinic-Management-System_TimeBasedSQLi_PoC/blob/main/README.md Exploit,Third Party Advisory
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.324645 Permissions Required,VDB Entry
https://vuldb.com/?id.324645 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.650177 Third Party Advisory,VDB Entry
https://github.com/drew-byte/Online-Clinic-Management-System_TimeBasedSQLi_PoC/blob/main/README.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10618, you might also want to check these: