Multiple stored cross site scripting (XSS) vulnerabilities in the "Update Profile" module of Online Doctor Appointment System 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in the First Name, Last Name, and Address text fields.

Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via firstname parameter.

Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via email parameter.

Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via the comment parameter.

Blind SQL injection in contactus.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via lastname parameter.

SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.

Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the comment parameter.

Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the lastname parameter.

SQL injection in the expertise parameter in search_result.php in Doctor Appointment System v1.0 allows an authenticated patient user to dump the database credentials via a SQL injection attack.

An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php.