CVE-2025-41003
Stored XSS in Imaster Patient System Enables Arbitrary Script Execution
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imaster | patient_record_management_system | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in Imaster's Patient Record Management System at the endpoint '/projects/hospital/admin/edit_patient.php'. It occurs because the 'firstname' parameter is not properly sanitized, allowing an attacker to inject malicious JavaScript code. This code is then stored and executed every time a user accesses the patient list, enabling the attacker to run arbitrary JavaScript in the victim's browser. [1]
How can this vulnerability impact me? :
The vulnerability allows attackers to execute arbitrary JavaScript in the browsers of users who access the patient list. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed on behalf of the victim user, potentially compromising patient data and system integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the `/projects/hospital/admin/edit_patient.php` endpoint for stored Cross-Site Scripting (XSS) in the `firstname` parameter. You can attempt to inject a harmless JavaScript payload (e.g., `<script>alert('XSS')</script>`) into the `firstname` field and then check if the script executes when accessing the patient list. For example, using curl to POST data: `curl -X POST -d "firstname=<script>alert('XSS')</script>" https://yourserver/projects/hospital/admin/edit_patient.php`. Then, access the patient list page in a browser to see if the alert triggers. Additionally, web vulnerability scanners that test for stored XSS can be used to automate detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint to trusted users only, applying strict input validation and sanitization on the `firstname` parameter to prevent script injection, and educating users to avoid clicking suspicious links. Since no official solution or patch is reported yet, consider implementing Web Application Firewall (WAF) rules to block malicious payloads targeting this parameter. Monitoring and logging access to the endpoint can also help detect exploitation attempts. [1]