PT-2024-17182 · Unknown · Codeastro Hospital Management System

Egsec

Published

2024-11-25

Updated

2024-12-04

CVE-2024-11674

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions CodeAstro Hospital Management System version 1.0

Description A critical issue was found in the CodeAstro Hospital Management System, affecting an unknown function of the file /backend/doc/his doc update-account.php. The manipulation of the doc dpic argument leads to unrestricted upload. This issue can be exploited remotely. The exploit has been disclosed to the public and may be used.

Recommendations For CodeAstro Hospital Management System version 1.0, consider restricting access to the /backend/doc/his doc update-account.php file to minimize the risk of exploitation. As a temporary workaround, avoid using the doc dpic argument in the affected file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

Exploit

Fix

Improper Access Control

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-434

Related Identifiers

CVE-2024-11674

Affected Products

Codeastro Hospital Management System

PT-2024-17182 · Unknown · Codeastro Hospital Management System

CVE-2024-11674

Weakness Enumeration

Related Identifiers

Affected Products

References · 10