CVE-2023-40275 - Vulnerability Details - OpenCVE

An issue was discovered in OpenClinic GA 5.247.01. It allows retrieval of patient lists via queries such as findFirstname= to _common/search/searchByAjax/patientslistShow.jsp.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Openclinic Ga Project	Openclinic Ga

Configuration 1 [-]

cpe:2.3:a:openclinic_ga_project:openclinic_ga:5.247.01:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/BugBountyHunterCVE/CVE-2023-40275/blob/main/CVE-2023-40275_Unauthenticated-Patient-List-Retrieval_OpenClinic-GA_5.247.01_Report.md
https://sourceforge.net/projects/open-clinic/

History

Mon, 14 Apr 2025 14:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:openclinic_ga_project:openclinic_ga:5.247.01:::::::*

Thu, 10 Apr 2025 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openclinic Ga Project Openclinic Ga Project openclinic Ga
CPEs		cpe:2.3:a:openclinic_ga_project:openclinic_ga:5:::::::*
Vendors & Products		Openclinic Ga Project Openclinic Ga Project openclinic Ga
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-03-19T00:00:00.000Z

Updated: 2025-04-10T20:22:18.673Z

Reserved: 2023-08-14T00:00:00.000Z

Link: CVE-2023-40275

Vulnrichment

Updated: 2024-08-02T18:31:52.387Z

NVD

Status : Analyzed

Published: 2024-03-19T01:15:44.743

Modified: 2025-04-14T13:39:18.027

Link: CVE-2023-40275

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-40275", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-04-10T20:22:18.673Z", "dateReserved": "2023-08-14T00:00:00.000Z", "datePublished": "2024-03-19T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-03-19T00:11:01.904Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenClinic GA 5.247.01. It allows retrieval of patient lists via queries such as findFirstname= to _common/search/searchByAjax/patientslistShow.jsp."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://sourceforge.net/projects/open-clinic/"}, {"url": "https://github.com/BugBountyHunterCVE/CVE-2023-40275/blob/main/CVE-2023-40275_Unauthenticated-Patient-List-Retrieval_OpenClinic-GA_5.247.01_Report.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "affected": [{"vendor": "openclinic_ga_project", "product": "openclinic_ga", "cpes": ["cpe:2.3:a:openclinic_ga_project:openclinic_ga:5:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.247.01", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-03-19T19:48:46.699389Z", "id": "CVE-2023-40275", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T20:22:18.673Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:31:52.387Z"}, "title": "CVE Program Container", "references": [{"url": "https://sourceforge.net/projects/open-clinic/", "tags": ["x_transferred"]}, {"url": "https://github.com/BugBountyHunterCVE/CVE-2023-40275/blob/main/CVE-2023-40275_Unauthenticated-Patient-List-Retrieval_OpenClinic-GA_5.247.01_Report.md", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://sourceforge.net/projects/open-clinic/", "tags": ["x_transferred"]}, {"url": "https://github.com/BugBountyHunterCVE/CVE-2023-40275/blob/main/CVE-2023-40275_Unauthenticated-Patient-List-Retrieval_OpenClinic-GA_5.247.01_Report.md", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:31:52.387Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-40275", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-19T19:48:46.699389Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:openclinic_ga_project:openclinic_ga:5:*:*:*:*:*:*:*"], "vendor": "openclinic_ga_project", "product": "openclinic_ga", "versions": [{"status": "affected", "version": "5.247.01"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-18T15:13:34.479Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://sourceforge.net/projects/open-clinic/"}, {"url": "https://github.com/BugBountyHunterCVE/CVE-2023-40275/blob/main/CVE-2023-40275_Unauthenticated-Patient-List-Retrieval_OpenClinic-GA_5.247.01_Report.md"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenClinic GA 5.247.01. It allows retrieval of patient lists via queries such as findFirstname= to _common/search/searchByAjax/patientslistShow.jsp."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-03-19T00:11:01.904Z"}}}, "cveMetadata": {"cveId": "CVE-2023-40275", "state": "PUBLISHED", "dateUpdated": "2025-04-10T20:22:18.673Z", "dateReserved": "2023-08-14T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-03-19T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openclinic_ga_project:openclinic_ga:5.247.01:*:*:*:*:*:*:*", "matchCriteriaId": "5395A171-DCA3-4128-A908-56AB2B1EFB95", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenClinic GA 5.247.01. It allows retrieval of patient lists via queries such as findFirstname= to _common/search/searchByAjax/patientslistShow.jsp."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en OpenClinic GA 5.247.01. Permite la recuperaci\u00f3n de listas de pacientes mediante consultas como findFirstname= a _common/search/searchByAjax/patientslistShow.jsp."}], "id": "CVE-2023-40275", "lastModified": "2025-04-14T13:39:18.027", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-03-19T01:15:44.743", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://github.com/BugBountyHunterCVE/CVE-2023-40275/blob/main/CVE-2023-40275_Unauthenticated-Patient-List-Retrieval_OpenClinic-GA_5.247.01_Report.md"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://sourceforge.net/projects/open-clinic/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://github.com/BugBountyHunterCVE/CVE-2023-40275/blob/main/CVE-2023-40275_Unauthenticated-Patient-List-Retrieval_OpenClinic-GA_5.247.01_Report.md"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://sourceforge.net/projects/open-clinic/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}