Strix
26.1K

CVE-2020-28937

HIGHCVSS 7.5/10EPSS 1.32%

Last modified

CVE-2020-28937 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request for the /tests/ URI.. EPSS estimates a 1.32% chance of exploitation in the next 30 days.

Description

OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request for the /tests/ URI.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability
1.32%

67.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Openclinic ProjectOpenclinic0.8.2

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2020-28937?
OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request for the /tests/ URI.
How severe is CVE-2020-28937?
CVE-2020-28937 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 1.32% probability of exploitation in the next 30 days.
How do I fix CVE-2020-28937?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-28937?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST