Author: Ravi Pipalwa Date: January 28, 2026 System: PQMS — Patient Queue Management System Environment: Localhost (PHP-based Web Application) Affected Modules: New Patient Registration, Patient Search Severity: Critical Vulnerability Type: Stored Cross-Site Scripting (Stored XSS) Vendor Homepage: https://www.sourcecodester.com Software Link:https://www.sourcecodester.com/php/18348/patients-waiting-area-queue-management-system.html

  1. Executive Summary

During security testing of the PQMS application, a critical Stored Cross-Site Scripting (XSS) vulnerability was identified. The system allows user-supplied input to be stored in the database without proper validation or sanitization and later renders it directly in the browser.

This allows an attacker to inject malicious JavaScript code that is permanently stored and automatically executed whenever the affected patient record is viewed. In a real-world healthcare environment, this can lead to exposure of sensitive patient information, account compromise, and unauthorized system access.

2. Vulnerability Overview

The vulnerability exists in the New Patient Registration module. Input fields such as the First Name and Last Name accept raw HTML and JavaScript content. When this data is later displayed in the Patient Search results, it is not safely encoded, causing the browser to interpret it as executable code.

For testing, the following payload was used:

<img src=x onerror=alert(1)>

This payload was:

  • Accepted by the form
  • Stored in the database
  • Rendered in the Patient Search interface
  • Executed by the browser

The appearance of the alert popup confirms successful code execution and validates the presence of a Stored XSS vulnerability.

3. Affected Endpoints

  • Patient Registration: /pqms/registration.php
  • Patient Search: /pqms/patient-search.php

4. Proof of Concept (PoC)

High-Level Steps:

  1. Open the New Patient Registration page.
  2. Enter the following payload in the First Name field:
<img src=x onerror=alert(1)>
None

3. Fill in the remaining required fields with valid data.

4. Complete the registration.

5. Navigate to the Patient Search page.

6. Search for the newly created patient record.

None

7. Observe that:

  • The injected payload is displayed in the results.
  • A browser alert appears showing "1".
None

This demonstrates that malicious code is persistently stored and automatically executed.

5. Impact Assessment

If exploited in a production environment, this vulnerability could allow an attacker to:

  • Steal authenticated user session cookies
  • Perform unauthorized actions as another user
  • Access or manipulate patient data
  • Inject fake forms or redirect users to malicious sites
  • Conduct phishing attacks within the application
  • Compromise staff and administrator accounts

Given the healthcare context, this risk is extremely serious due to privacy, regulatory, and legal implications.

6. Root Cause Analysis

The issue exists due to:

  • Lack of server-side input validation
  • Absence of output encoding when rendering user data
  • Direct insertion of user input into HTML
  • Missing security headers and Content Security Policy
  • No centralized input handling or sanitization layer

7. Security Recommendations

  1. Immediate Actions (High Priority):
  • Proper Output Encoding All user-supplied data must be encoded before being displayed:
echo htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
  • Input Sanitization Reject or clean unexpected characters:
$first_name = strip_tags($_POST['first_name']);

Or apply strict allowlists:

$first_name = preg_replace("/[^a-zA-Z\s]/", "", $_POST['first_name']);
  • Implement a Content Security Policy (CSP):
Content-Security-Policy: default-src 'self'; script-src 'self';
  • Block HTML Input . Unless explicitly required, HTML should never be accepted in form fields.

2. Long-Term Improvements:

  • Use templating engines with automatic output escaping (e.g., Twig, Blade)
  • Implement centralized validation middleware
  • Add Web Application Firewall (WAF) rules
  • Enable security headers: X-Content-Type-Options , X-Frame-Options , Strict-Transport-Security
  • Perform periodic security audits and code reviews

9. OWASP Mapping

OWASP Top 10 (2025):

  • A03: Injection
  • A05: Security Misconfiguration
  • A07: Identification and Authentication Failures

Stored XSS is categorized under Injection vulnerabilities.

10. Conclusion

The PQMS application is critically vulnerable to Stored Cross-Site Scripting due to insecure handling of user input and unsafe rendering of stored data. This vulnerability allows persistent JavaScript execution and can be leveraged to compromise user accounts, steal sensitive patient information, and undermine the integrity of the entire system.

Immediate remediation is essential before the application is deployed in any production or clinical environment.

11. Disclosure Statement

This report is intended strictly for:

  • Authorized security testing
  • Educational purposes
  • Defensive security improvement

No real patient data was accessed, altered, or exposed during this assessment.