Product: Patients Waiting Area Queue Management System Version: 1.0 Vulnerability Type: Stored Cross-Site Scripting (XSS) Affected Component: queue.php (Public Display) Affected Parameters: firstname, lastname (via Registration) Description: A Stored Cross-Site Scripting (XSS) vulnerability exists in the Patients Waiting Area Queue Management System 1.0. The flaw allows an attacker to inject malicious scripts into the public-facing patient queue display (queue.php). During patient registration, an attacker can input a JavaScript payload in the name fields. Because this data is stored in the database and then displayed on the public monitor without output encoding, the script executes automatically for any user viewing the queue. This is particularly dangerous as it can target public-facing kiosks or waiting area displays. Proof of Concept (PoC): 1. Navigate to the Patient Registration page. 2. Register a new patient with the following payload in the First Name: "> 3. Access the public queue page: http://localhost/pqms/queue.php 4. Observe the alert(1) executing immediately upon page load. 5. Note: After closing the alert, the broken HTML/payload remains visible in the queue table. Impact: Public Execution: Malicious scripts run on public-facing monitors. Session Theft: If an administrator views the public queue, their session could be compromised. Defacement: The queue board can be completely altered or redirected. Researcher: Archana M