This vulnerability exposes patient medical history records to unauthorized access, theft, or deletion by any attacker who can reach the application over the network. For healthcare organizations, unauthorized access to patient records creates direct exposure under patient privacy regulations, including potential regulatory investigation, mandatory breach notification, and associated fines. Operational impact includes potential corruption or loss of patient history data, which can disrupt clinical workflows and, in active care settings, create patient safety implications if records are altered or destroyed.
You Are Affected If
You are running SourceCodester Hospitals Patient Records Management System version 1.0
The /admin/patients/manage_history.php endpoint is accessible from the internet or an untrusted network segment
No web application firewall or IPS rule is blocking SQL injection patterns against this application
You have not applied a vendor-issued patch or manual code fix to sanitize the 'ID' parameter in manage_history.php
Database credentials used by the application have broad read/write access beyond the minimum required schema
Board Talking Points
A publicly known, remotely exploitable flaw in our hospital records software allows an attacker to read or destroy patient medical history data with no login required.
We recommend restricting access to the affected component immediately and applying available patches or compensating controls within 72 hours.
If unaddressed, this exposure could result in a reportable patient data breach, regulatory notification obligations, and reputational harm to the organization.
HIPAA — The affected system explicitly manages patient medical records; unauthorized SQL injection access to this data constitutes potential exposure of protected health information (PHI) under 45 CFR Parts 160 and 164.
GDPR — If the system is operated in or serves patients in EU/EEA jurisdictions, patient health records qualify as special category personal data under Article 9; unauthorized access triggers breach assessment obligations under Article 33.
