C4G BLIS Improper Access Control

Computing For Good’s Basic Laboratory Information System (also known as C4G BLIS) version 3.5 and earlier suffers from an instance of CWE-284, “Improper Access Control.” As a result, an unauthenticated user may alter several facets of a user account, including promoting any user to an administrator.

Recent assessments:

busterb at November 14, 2019 10:04pm UTC reported:

Authentication bypass on medical software in general is a big utility to both an attacker and a liability for medical professionals using the software.

Where is may be less applicable in utility is simply in where it is used. The list of labs that do use this software is listed straight on the software’s website which hopefully allowed them to communicate the importance of patching before this vulnerability was announced (and hopefully they applied additional compensating controls in the process): <http://blis.cc.gatech.edu/index.php&gt;

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 5