CVE-2023-6425 MEDIUM

CVE-2023-6425: Cross-site Scripting vulnerability in BigProf products

Vendor Bigprof

Product Online Clinic Management System

Weakness CWE-79 · XSS

Published November 30, 2023

Last update February 6, 2026

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/medical_records_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads.

Key dates

02Disclosure timeline

November 30, 2023 CVE published

February 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-6425

Related vulnerabilities

04Related CVE

CVE-2023-1147 Cross-site Scripting (XSS) - Stored in flatpressblog/flatpress CVE-2024-51892 WordPress Sell Media File with Stripe plugin <= 1.0.6 - Stored Cross Site Scripting (XSS) vulnerability CVE-2025-13838 WishSuite <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute CVE-2024-50451 WordPress MDTF – Meta Data and Taxonomies Filter plugin <= 1.3.3.4 - Cross Site Scripting (XSS) vulnerability CVE-2023-24810 Cross site scripting (XSS) vulnerability using authentication callback in Misskey