Vulnerability Details : CVE-2022-40471
Public exploit exists!
Remote Code Execution in Clinic's Patient Management System v 1.0 allows Attacker to Upload arbitrary php webshell via profile picture upload functionality in users.php
Vulnerability category: Execute code
Products affected by CVE-2022-40471
- cpe:2.3:a:oretnom23:clinic\'s_patient_management_system:1.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-40471
80.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2022-40471
-
Clinic's Patient Management System 1.0 - Unauthenticated RCE
Disclosure Date: 2022-10-31First seen: 2024-12-20exploit/multi/http/clinic_pms_fileupload_rceThis module exploits an unauthenticated file upload vulnerability in Clinic's Patient Management System 1.0. An attacker can upload a PHP web shell and execute it by leveraging directory listing enabled on the `/pms/user_images` directory.
CVSS scores for CVE-2022-40471
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-40471
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-40471
-
https://github.com/RashidKhanPathan/CVE-2022-40471
GitHub - RashidKhanPathan/CVE-2022-40471: RCE Exploit and ResearchExploit;Third Party Advisory
-
https://www.sourcecodester.com/php-clinics-patient-management-system-source-code
Product
-
https://drive.google.com/file/d/1m-wTfOL5gY3huaSEM3YPSf98qIrkl-TW/view?usp=sharing
https://drive.google.com/file/d/1m-wTfOL5gY3huaSEM3YPSf98qIrkl-TW/view?usp=sharingExploit;Third Party Advisory
Jump to