CVE-2025-9774
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-01

Last updated on: 2025-09-04

Assigner: VulDB

Description
A vulnerability has been found in RemoteClinic up to 2.0. This issue affects some unknown processing of the file /patients/edit-patient.php. The manipulation of the argument Email leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-01
Last Modified
2025-09-04
Generated
2026-06-16
AI Q&A
2025-09-01
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9774
EUVD
EUVD-2025-26338
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
remoteclinic remote_clinic to 2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9774 is a Cross-Site Scripting (XSS) vulnerability in RemoteClinic version 2.0, specifically in the file /patients/edit-patient.php. It occurs because the application improperly handles the Email parameter, failing to validate or encode it correctly. This allows attackers to inject malicious scripts that execute in the victim's browser without requiring authentication, leading to unauthorized access to sensitive information and actions performed on behalf of the user. [2, 3]

Impact Analysis

This vulnerability can lead to information disclosure and unauthorized actions. Attackers can steal cookies, session tokens, and other sensitive data, perform actions on behalf of the victim, deface webpages, redirect users to malicious sites, and potentially gain full control over the victim's browser. Exploitation requires no authentication and can be done remotely, posing a significant risk to user confidentiality and system integrity. [1, 3]

Detection Guidance

This vulnerability can be detected by identifying instances of the vulnerable file `/patients/edit-patient.php` in the RemoteClinic system, especially by checking for the presence of the Email parameter being manipulated. One method to find vulnerable targets is using Google dorking with the query `inurl:patients/edit-patient.php`. Additionally, testing the endpoint with a proof-of-concept payload such as `<script>alert('XSS')</script>` via a POST request to `/patients/edit-patient.php?id=159` can confirm the presence of the vulnerability by observing if the script executes. Network monitoring tools can also be used to detect suspicious requests containing script injections targeting this endpoint. [1, 3]

Mitigation Strategies

Immediate mitigation steps include: 1) Implement proper output encoding of user inputs based on context (HTML, JavaScript, CSS, URL) to prevent execution of injected scripts. 2) Enforce strict input validation and filtering to allow only expected formats and reject or escape malicious content such as script tags. 3) Deploy a strict Content Security Policy (CSP) to restrict script sources and prevent unauthorized script execution. 4) Set secure cookie flags like HttpOnly and Secure to protect sensitive cookies from JavaScript access and ensure secure transmission. 5) Conduct regular security audits to detect and remediate XSS and other vulnerabilities promptly. Since no official patch or countermeasure is currently available, consider replacing the affected product with a secure alternative. [3, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9774. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart