CVE-2025-41003
Unknown Unknown - Not Provided
Stored XSS in Imaster Patient System Enables Arbitrary Script Execution

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Imaster's Patient Record Management System contains a stored Cross-Site Scripting (XSS) vulnerability in the endpoint ‘/projects/hospital/admin/edit_patient.php’. By injecting a malicious script into the ‘firstname’ parameter, the JavaScript code is stored and executed every time a user accesses the patient list, allowing an attacker to execute arbitrary JavaScript in a victim's browser.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-14
NVD
CVE-2025-41003
EUVD
EUVD-2026-1938
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
imaster patient_record_management_system *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue in Imaster's Patient Record Management System at the endpoint '/projects/hospital/admin/edit_patient.php'. It occurs because the 'firstname' parameter is not properly sanitized, allowing an attacker to inject malicious JavaScript code. This code is then stored and executed every time a user accesses the patient list, enabling the attacker to run arbitrary JavaScript in the victim's browser. [1]

Impact Analysis

The vulnerability allows attackers to execute arbitrary JavaScript in the browsers of users who access the patient list. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed on behalf of the victim user, potentially compromising patient data and system integrity. [1]

Detection Guidance

This vulnerability can be detected by testing the `/projects/hospital/admin/edit_patient.php` endpoint for stored Cross-Site Scripting (XSS) in the `firstname` parameter. You can attempt to inject a harmless JavaScript payload (e.g., `<script>alert('XSS')</script>`) into the `firstname` field and then check if the script executes when accessing the patient list. For example, using curl to POST data: `curl -X POST -d "firstname=<script>alert('XSS')</script>" https://yourserver/projects/hospital/admin/edit_patient.php`. Then, access the patient list page in a browser to see if the alert triggers. Additionally, web vulnerability scanners that test for stored XSS can be used to automate detection. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint to trusted users only, applying strict input validation and sanitization on the `firstname` parameter to prevent script injection, and educating users to avoid clicking suspicious links. Since no official solution or patch is reported yet, consider implementing Web Application Firewall (WAF) rules to block malicious payloads targeting this parameter. Monitoring and logging access to the endpoint can also help detect exploitation attempts. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41003. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart