CVE-2025-70063

MEDIUM

PHPGurukul HMS 4.0 - IDOR

Title source: llm

Description

The 'Medical History' module in PHPGurukul Hospital Management System v4.0 contains an Insecure Direct Object Reference (IDOR) vulnerability. The application fails to verify that the requested 'viewid' parameter belongs to the currently authenticated patient. This allows a user to access the confidential medical records of other patients by iterating the 'viewid' integer.

References (2)

[Various Sources] https://gist.github.com/Sanka1pp/f43c7eca5048152899e14412523afe80

[Various Sources] https://packetstorm.news/files/id/213711

Scores

CVSS v3 6.5

EPSS 0.0003

EPSS Percentile 9.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-639

Status published

Affected Products (1)

phpgurukul/hospital_management_system

Timeline

Published Feb 18, 2026

Tracked Since Feb 18, 2026