62 matches found
CVE-2025-30035
The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and grants access to the...
CVE-2025-30044
In the endpoints "/cgi-bin/CliniNET.prd/utils/usrlogstatsimple.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", "/cgi-bin/CliniNET.prd/utils/userlogstat2.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl", the parameters are not sufficiently normalized, which enables code injection...
CVE-2025-10350
SQL Injection vulnerability in "imageserver" module when processing C-FIND queries in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including data processed by GCM CLININET software.This issue affects CGM NETRAAD with imageserver module in versions before 7.9....
CVE-2025-58405
The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. As a result, an attacker can embed the application inside a maliciously crafted IFRAME and trick users into...
CVE-2025-30042
The CGM CLININET system provides smart card authentication; however, authentication is conducted locally on the client device, and, in reality, only the certificate number is used for access verification. As a result, possession of the certificate number alone is sufficient for authentication,...
CVE-2025-58402
The CGM CLININET application uses direct, sequential object identifiers "MessageID" without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users...
CVE-2025-30044
In the endpoints "/cgi-bin/CliniNET.prd/utils/usrlogstatsimple.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", "/cgi-bin/CliniNET.prd/utils/userlogstat2.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl", the parameters are not sufficiently normalized, which enables code injection...
CVE-2025-30035
The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and grants access to the...
CVE-2025-58406
Technical details about CVE-2025-58406 are not provided in the supplied documents. For CGM CLININET, specifics such as affected versions, root cause, and fixes are not disclosed here; monitor for updates.
EUVD-2025-208152
The CGM CLININET application respond without essential security HTTP headers, exposing users to client‑side attacks such as clickjacking, MIME sniffing, unsafe caching, weak cross‑origin isolation, and missing transport security controls...
EUVD-2025-208151
The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. As a result, an attacker can embed the application inside a maliciously crafted IFRAME and trick users into...
CVE-2025-58405 Lack of protection mechanisms against Clickjacking attacks
The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. As a result, an attacker can embed the application inside a maliciously crafted IFRAME and trick users into...
CVE-2025-30044 RCE on uhcapache user permissions
In the endpoints "/cgi-bin/CliniNET.prd/utils/usrlogstatsimple.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", "/cgi-bin/CliniNET.prd/utils/userlogstat2.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl", the parameters are not sufficiently normalized, which enables code injection...
CVE-2025-30044
CVE-2025-30044 affects endpoints under CliniNET.prd/utils (usrlogstat_simple.pl, usrlogstat.pl, userlogstat2.pl, dblogstat.pl). The issue is insufficient input normalization on parameters, enabling code injection. According to the provided metrics, the vulnerability has CRITICAL impact with HIGH ...
EUVD-2025-208148
In the endpoints "/cgi-bin/CliniNET.prd/utils/usrlogstatsimple.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", "/cgi-bin/CliniNET.prd/utils/userlogstat2.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl", the parameters are not sufficiently normalized, which enables code injection...
CVE-2025-30044 RCE on uhcapache user permissions
In the endpoints "/cgi-bin/CliniNET.prd/utils/usrlogstatsimple.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", "/cgi-bin/CliniNET.prd/utils/userlogstat2.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl", the parameters are not sufficiently normalized, which enables code injection...
CVE-2025-30044
In the endpoints "/cgi-bin/CliniNET.prd/utils/usrlogstatsimple.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", "/cgi-bin/CliniNET.prd/utils/userlogstat2.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl", the parameters are not sufficiently normalized, which enables code injection...
CVE-2025-30035 Lack of API authentication allowing session generation for any user
The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and grants access to the...
CVE-2025-30035
The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and grants access to the...
CVE-2025-30035
CVE-2025-30035 affects CGM CLININET: lack of API authentication allows generating a session for any user, enabling session takeover without a password. Root cause: missing auth on session creation. Impact is high across confidentiality, integrity, and availability (CVSS v4.0 base score 9.0; vecto...