CVE-2025-41003

Stored cross-site scripting (XSS) vulnerability in Imaster's Patient Record Management System exists in the /projects/hospital/admin/edit_patient.php endpoint. The firstname parameter is not properly sanitized, allowing an attacker to inject arbitrary JavaScript that gets stored in the database. When other users access the patient list, the injected script executes in their browsers [1].

Exploitation requires an authenticated user with low privileges (e.g., a staff account) to inject a malicious payload via the patient editing form. The stored script then triggers every time the patient list is viewed, making it a persistent attack vector [1].

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the logged-in user's session. This can lead to session hijacking, data theft, or unauthorized actions within the application. The CVSS v4.0 score of 5.1 reflects the low impact to confidentiality and integrity but highlights the risk of stored persistence [1].

As of the advisory publication date (INCIBE-2026-015), no official patch or workaround has been provided by Imaster. Organizations using this system should monitor for updates and consider implementing input validation and output encoding as a defensive measure [1].