CVE-2025-70063 — Authorization Bypass Through User-Controlled Key in Hospital Management System

CWE-639 — Authorization Bypass Through User-Controlled Key3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 88.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpgurukul Hospital Management System

Timeline

PublishedFeb 18

Description

The 'Medical History' module in PHPGurukul Hospital Management System v4.0 contains an Insecure Direct Object Reference (IDOR) vulnerability. The application fails to verify that the requested 'viewid' parameter belongs to the currently authenticated patient. This allows a user to access the confidential medical records of other patients by iterating the 'viewid' integer.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶NVDphpgurukul/hospital_management_system4.0

🔴Vulnerability Details

CVEList

CVE-2025-70063: The 'Medical History' module in PHPGurukul Hospital Management System v4↗2026-02-18

▶

GHSA

GHSA-8gfj-223w-87pr: The 'Medical History' module in PHPGurukul Hospital Management System v4↗2026-02-18

▶