## Critical Vulnerability Information - **CVE ID**: CVE-2023-4440 - **Vulnerability ID**: VDB-237561 - **Vendor and Product**: SourceCodester Free Hospital Management System for Small Practices 1.0 - **Vulnerability Type**: SQL Injection - **Vulnerable File**: `appointment.php` - **Impacted Argument**: `scheduldate` - **Severity**: Critical - **Exploit Availability**: Yes, Proof-of-Concept exploit available on GitHub. - **Publication Date**: August 20, 2023 - **CWE**: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - **Attack Technique**: T1505 - **Impact**: Confidentiality, Integrity, and Availability ### Description A vulnerability has been identified in SourceCodester Free Hospital Management System for Small Practices 1.0. Manipulating the `scheduldate` parameter in `appointment.php` leads to an SQL injection vulnerability. The attack can be initiated remotely. ### Exploit Information The exploit is publicly shared on GitHub and serves as a proof-of-concept. Vulnerable systems can be discovered using Google Hacking with the search query `inurl:appointment.php`. ### Recommendation Replace the affected software with an alternative product, as no known mitigations or patches are currently available.