Main Vulnerability Database Vulnerabilities #VU48812

#VU48812 Improper Authentication in OpenClinic - CVE-2020-28937

Published: December 3, 2020 / Updated: December 7, 2020

Vulnerability identifier: #VU48812

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2020-28937

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenClinic

Software vendor:
Jose Antonio Chavarría

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests. A remote attacker can send a direct request to the "/tests/" URI, access any patient´s medical test results and disclose the Protected Health Information (PHI) stored in the application.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

External links

https://labs.bishopfox.com/advisories/openclinic-version-0.8.2