This vulnerability (CWE-434) in mojoomla Hospital Management System allows an authenticated user with low privileges to upload files without proper restriction on file types. This can be exploited to upload a malicious web shell, granting remote code execution capabilities on the web server. The affected version is 47.0(20. The CVSS score of 9.9 reflects network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. No patch or official fix information is available, and the product is not a cloud service, so remediation depends on vendor updates.

Successful exploitation can lead to remote code execution on the web server hosting the Hospital Management System, resulting in full compromise of the system. This includes unauthorized access to sensitive patient data, alteration or destruction of data, and potential disruption of hospital operations. The critical CVSS score confirms the high severity of this vulnerability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict file upload functionality where possible, implement strict file type validation, and monitor for suspicious file uploads. Consider applying web application firewall (WAF) rules to detect and block web shell uploads. Avoid exposing the upload functionality to untrusted users.