HIGH🇵🇱 Wersja polska

CVE-2025-58402

CVSS 7.1v4.0pub. 2026-03-02upd. 2026-03-09

The CGM CLININET application uses direct, sequential object identifiers "MessageID" without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Cgm Clininet

    APP
    Cgm
    < 2025.ms4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-30042CRITICAL9.0PL ✓ten sam produkt

CGM CLININET: Obejście uwierzytelnienia kartą chipową poprzez sam numer certyfikatu

CVE-2025-58405MEDIUM5.3ten sam produkt

The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP...

CVE-2025-58406MEDIUM5.3ten sam produkt

The CGM CLININET application respond without essential security HTTP headers, exposing users to client‑side at...