This PHP-based open source project is a web application for booking medical appointments. Patients can use the platform to easily schedule appointments with their doctors, saving time and effort. The project's source code is open for anyone to use, modify, and distribute according to their needs.
patient/booking-complete.php from line 27,The $scheduleid parameter is controllable, the parameter scheduleid can be passed through post, and the $scheduleid is not protected from sql injection, line 34 $result= $database->query($sql2); causes sql injection
Vulnerability file address
patient/booking-complete.php
from line 27,The $scheduleid parameter is controllable, the parameter scheduleid can be passed through post, and the $scheduleid is not protected from sql injection, line 34$result= $database->query($sql2);
causes sql injectionPOC
Attack results pictures