CVE-2020-28937

{"id": "CVE-2020-28937", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-12-03T16:15:12.370", "references": [{"url": "https://labs.bishopfox.com/advisories/openclinic-version-0.8.2", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://labs.bishopfox.com/advisories/openclinic-version-0.8.2", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-425"}]}], "descriptions": [{"lang": "en", "value": "OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request for the /tests/ URI."}, {"lang": "es", "value": "OpenClinic versi\u00f3n 0.8.2, est\u00e1 afectada por una vulnerabilidad de falta de autenticaci\u00f3n que permite a usuarios no autenticados acceder a unos resultados de las pruebas m\u00e9dicas de cualquier paciente, resultando posiblemente en una divulgaci\u00f3n de Protected Health Information (PHI) almacenada en la aplicaci\u00f3n, por medio de una petici\u00f3n directa para el URI /tests/"}], "lastModified": "2024-11-21T05:23:19.780", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openclinic_project:openclinic:0.8.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9435F029-462E-4564-ACF1-AE98A752E7FB"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}