CVE-2021-39416

Name of the Vulnerable Software and Affected Versions: Remote Clinic version 2.0

Description: Multiple Cross Site Scripting (XSS) vulnerabilities exist in Remote Clinic v2.0. The vulnerabilities are found in several parameters across different PHP files, including patients/register-patient.php via parameters such as Contact, Email, Weight, Profession, ref contact, address, gender, age, and serial; patients/edit-patient.php via parameters like Contact, Email, Weight, Profession, ref contact, address, serial, age, and gender; staff/edit-my-profile.php via parameters such as Title, First Name, Last Name, Skype, and Address; and clinics/settings.php via parameters including portal name, guardian short name, guardian name, opening time, closing time, access level 5, access level 4, access level 3, access level 2, access level 1, currency, mobile number, address, patient contact, patient address, and patient email.

Recommendations: As a temporary workaround, consider disabling the vulnerable parameters in the affected PHP files until a patch is available. Restrict access to the vulnerable modules patients/register-patient.php, patients/edit-patient.php, staff/edit-my-profile.php, and clinics/settings.php to minimize the risk of exploitation. Avoid using the specified parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.