CVE-2026-3171
Cross-Site Scripting in Patients Waiting Area Queue Management System
Publication date: 2026-02-25
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pamzey | patients_waiting_area_queue_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3171 is a Stored Cross-Site Scripting (XSS) vulnerability found in version 1.0 of the SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System, specifically in the /queue.php file.
The vulnerability occurs because the firstname and lastname parameters submitted during patient registration are not properly sanitized or output-encoded before being stored in the database and displayed on the public-facing queue monitor.
An attacker can exploit this by injecting malicious JavaScript payloads into these name fields, which then execute automatically for any user viewing the queue page, including public kiosks or waiting area displays.
This issue is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and can be exploited remotely without local access, but requires user interaction by the victim.
How can this vulnerability impact me? :
The vulnerability allows execution of arbitrary scripts on public monitors displaying the queue, which can lead to several security risks.
- Defacement of the queue display, causing misinformation or disruption.
- Hijacking of administrative sessions if authorized personnel view the affected queue page, potentially leading to unauthorized access.
- Execution of persistent malicious scripts on public kiosks or waiting area displays, which can compromise data integrity and user trust.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the /queue.php page of the Patients Waiting Area Queue Management System is vulnerable to cross-site scripting via the firstname and lastname parameters.'}, {'type': 'paragraph', 'content': 'One method to identify potentially vulnerable targets is to use Google dorking with queries such as inurl:queue.php to find exposed instances of the affected page.'}, {'type': 'paragraph', 'content': 'A practical detection approach is to attempt injecting a benign JavaScript payload into the firstname or lastname fields during patient registration and then observe if the script executes when viewing the queue.php page.'}, {'type': 'list_item', 'content': 'Use a web browser or curl to submit a registration with a payload like "><img src=x onerror=alert(1)>" in the firstname or lastname fields.'}, {'type': 'list_item', 'content': 'Access the /queue.php page and check if an alert box or injected script executes, indicating the presence of the vulnerability.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
No known mitigations or countermeasures have been documented for this vulnerability.
The suggested immediate step is to replace the affected software with an alternative product that does not contain this vulnerability.