CVE-2020-28937

EUVD-2020-21325
OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request for the /tests/ URI.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
Affected Products (NVD)
VendorProductVersion
openclinic_projectopenclinic
0.8.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://labs.bishopfox.com/advisories/openclinic-version-0.8.2
https://labs.bishopfox.com/advisories/openclinic-version-0.8.2