CVE 9 CRITICAL

Missing authentication in API returning request logs containing session IDs_CVE-2025-30040

August 27, 2025 invoker category_cve
9 / 10
CRITICAL
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

The vulnerability allows unauthenticated users to download a file containing session ID data by directly accessing the "/cgi-bin/CliniNET.prd/utils/userlogxls.pl" endpoint.

Basic Information

ID CVE-2025-30040
Source CERT-PL
Published Aug 27, 2025 at 10:21

Affected Product

Vendor CGM
Product CGM CLININET
Affected Versions CGM CGM CLININET 0

CWE Classification

CWE-306

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.