CVE-2023-6425

MEDIUM

BigProf Online Clinic Management System 2.2 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-6425. PoCs published by Rafael Pedrero.

AI-analyzed exploit summary The exploit demonstrates multiple stored and reflected XSS vulnerabilities in Online Clinic Management System 2.2 via the 'FirstRecord' parameter in various PHP scripts. The PoC includes both GET and POST request examples with payloads that trigger JavaScript alerts.

Description

A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/medical_records_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Rafael Pedrero · textwebappsphp
https://www.exploit-db.com/exploits/51439

The exploit demonstrates multiple stored and reflected XSS vulnerabilities in Online Clinic Management System 2.2 via the 'FirstRecord' parameter in various PHP scripts. The PoC includes both GET and POST request examples with payloads that trigger JavaScript alerts.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Online Clinic Management System 2.2
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.3
EPSS 0.0040
EPSS Percentile 31.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Details

CWE
CWE-79
Status published
Products (1)
bigprof/online_clinic_management_system 2.2
Published Nov 30, 2023
Tracked Since Feb 18, 2026