CVE-2020-35745 Information

Description

PHPGURUKUL Hospital Management System V 4.0 does not properly restrict access to admin/dashboard.php which allows attackers to access all data of users doctors patients change admin password get appointment history and access all session logs.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://medium.com/@ashketchum/privilege-escalation-unauthenticated-access-to-admin-portal-cve-2020-35745-bb5d5dca97a0 https://www.youtube.com/watch?v=vnSsg6iwV9Y&feature=youtu.be&ab_channel=ashketchum https://www.phpgurukul.com/hospital-management-system-in-php/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8