CVE-2023-0944

Bhima version 1.27.0 allows an authenticated attacker with regular user permissions to update arbitrary user session data such as username, email and password. This is possible because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Fluid AttacksCNA
---
---
CVEADP
---
---
CISA-ADPADP
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
VendorProductVersion
imaworldhealthbhima
1.27.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://fluidattacks.com/advisories/stewart/
https://github.com/IMA-WorldHealth/bhima/
https://fluidattacks.com/advisories/stewart/
https://github.com/IMA-WorldHealth/bhima/