CVE-2026-36324
Cross Site Scripting in Doctor Appointment System 1.0
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | doctor_appointment_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored cross-site scripting (XSS) issue in the user registration functionality of the Doctor Appointment System. This allows an attacker to execute arbitrary JavaScript in the administrator's browser, potentially leading to administrative account takeover.
Such a vulnerability could impact compliance with standards like GDPR and HIPAA because it threatens the confidentiality and integrity of sensitive personal and health information managed by the system. Unauthorized access or manipulation of administrative accounts could lead to data breaches or unauthorized disclosure of protected health information.
However, the provided information does not explicitly state the direct effects on compliance with these regulations.
Can you explain this vulnerability to me?
CVE-2026-36324 is a stored Cross Site Scripting (XSS) vulnerability in the Doctor Appointment System version 1.0 by SourceCodester. It occurs due to improper handling of user-supplied input in the user registration functionality (register.php). An attacker can submit malicious JavaScript code in fields such as first name, last name, or email during registration. This malicious code is stored in the system and later executed when an administrator views the user management interface, allowing arbitrary JavaScript to run in the administrator's browser.
How can this vulnerability impact me? :
This vulnerability can lead to serious security impacts including administrative account takeover. Since the malicious script executes in the administrator's browser, an attacker can steal session cookies, perform actions on behalf of the administrator, or manipulate the system. An unauthenticated attacker can exploit this by submitting crafted payloads during user registration, potentially compromising the entire system's security and control.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to register a user with a malicious JavaScript payload in input fields such as first name, last name, or email on the registration page (register.php). For example, submitting a payload like <script>alert(document.cookie)</script> can help verify if the input is improperly sanitized.
After registration, an administrator should check the user management interface (admin/users.php) to see if the payload executes, indicating the presence of the stored XSS vulnerability.
There are no specific network commands provided, but manual testing through the web interface by submitting crafted inputs is the primary detection method.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper input validation and output encoding in the user registration functionality to prevent malicious scripts from being stored and executed.
Specifically, sanitize all user inputs on register.php and encode outputs on admin/users.php to neutralize any injected JavaScript.
Additionally, restrict administrative access to trusted users and consider applying web application firewall (WAF) rules to block common XSS payloads.
If possible, update or patch the system to a version where this vulnerability is fixed.