CVE-2025-9753 is a medium severity Cross Site Scripting (XSS) vulnerability identified in version 1.0 of the Campcodes Online Hospital Management System, specifically within the Patient Search Module located at /admin/patient-search.php. The vulnerability arises from improper sanitization or validation of user-supplied input in the 'Search by Name Mobile No' parameter. An attacker can remotely craft malicious input that, when processed by the vulnerable function, results in the execution of arbitrary scripts in the context of the victim's browser. This type of vulnerability can be exploited without authentication but requires user interaction, such as an administrator or staff member accessing the manipulated search page. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H indicates high privileges required, but the description suggests remote initiation, so there may be some ambiguity), user interaction required (UI:P), and limited impact primarily on integrity (VI:L) with no impact on confidentiality or availability. The exploit is publicly available, increasing the risk of exploitation, although no known active exploitation has been reported yet. Given the nature of hospital management systems, which handle sensitive patient data and critical healthcare operations, the presence of an XSS vulnerability can facilitate phishing, session hijacking, or unauthorized actions within the administrative interface, potentially leading to further compromise or data leakage.

For European healthcare organizations using Campcodes Online Hospital Management System 1.0, this vulnerability poses a tangible risk to the confidentiality and integrity of patient data and administrative operations. Successful exploitation could allow attackers to execute malicious scripts in the context of hospital staff browsers, potentially leading to session hijacking, unauthorized access to sensitive patient records, or manipulation of hospital management workflows. This could undermine patient privacy, violate GDPR regulations, and disrupt hospital operations. Although the vulnerability does not directly impact availability, the indirect consequences such as loss of trust, regulatory fines, and operational disruptions could be significant. The fact that the exploit is publicly available increases the urgency for European hospitals to address this vulnerability promptly to prevent targeted attacks, especially given the critical nature of healthcare services and the high value of patient data in Europe.

1. Immediate application of input validation and output encoding on the 'Search by Name Mobile No' parameter within the Patient Search Module to neutralize malicious scripts. 2. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the hospital management system's web interface. 3. Conduct a thorough code review and penetration testing of the entire application to identify and remediate other potential XSS or injection vulnerabilities. 4. Restrict access to the /admin/patient-search.php page using strong authentication and role-based access controls to limit exposure. 5. Educate hospital staff on recognizing phishing attempts and suspicious behavior that could result from XSS exploitation. 6. Monitor web server logs and application behavior for unusual activity indicative of exploitation attempts. 7. Coordinate with Campcodes for a security patch or update; if unavailable, consider temporary mitigations such as web application firewalls (WAF) with custom rules to block malicious payloads targeting this parameter.