CVE-2024-23747

The Moderna Sistemas ModernaNet Hospital Management System 2024 is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability resides in the system's handling of user data access through a /Modernanet/LAUDO/LAU0000100/Laudo?id= URI. By manipulating this id parameter, an attacker can gain access to sensitive medical information.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/louiselalanne/CVE-2024-23747	Exploit Third Party Advisory
https://modernasistemas.com.br/sitems/	Product
https://github.com/louiselalanne/CVE-2024-23747	Exploit Third Party Advisory
https://modernasistemas.com.br/sitems/	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:modernasistemas:modernanet_hospital_management_system_2024:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:58

Type	Values Removed	Values Added
References	~~() https://github.com/louiselalanne/CVE-2024-23747 - Exploit, Third Party Advisory~~	() https://github.com/louiselalanne/CVE-2024-23747 - Exploit, Third Party Advisory
References	~~() https://modernasistemas.com.br/sitems/ - Product~~	() https://modernasistemas.com.br/sitems/ - Product

29 Jan 2024, 14:25

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-29 14:15

Updated : 2024-11-21 08:58

NVD link : CVE-2024-23747

Mitre link : CVE-2024-23747

CVE.ORG link : CVE-2024-23747

JSON object : View

Products Affected

modernasistemas

modernanet_hospital_management_system_2024

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2024-23747", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-01-29T14:15:09.993", "references": [{"url": "https://github.com/louiselalanne/CVE-2024-23747", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://modernasistemas.com.br/sitems/", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://github.com/louiselalanne/CVE-2024-23747", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://modernasistemas.com.br/sitems/", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "The Moderna Sistemas ModernaNet Hospital Management System 2024 is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability resides in the system's handling of user data access through a /Modernanet/LAUDO/LAU0000100/Laudo?id= URI. By manipulating this id parameter, an attacker can gain access to sensitive medical information."}, {"lang": "es", "value": "Moderna Sistemas ModernaNet Hospital Management System 2024 es susceptible a una vulnerabilidad de referencia directa a objetos inseguros (IDOR). Esta vulnerabilidad reside en el manejo por parte del sistema del acceso a los datos del usuario a trav\u00e9s de un /Modernanet/LAUDO/LAU0000100/Laudo?id= URI. Al manipular este par\u00e1metro de id, un atacante puede obtener acceso a informaci\u00f3n m\u00e9dica confidencial."}], "lastModified": "2024-11-21T08:58:18.813", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:modernasistemas:modernanet_hospital_management_system_2024:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5E44BF84-A17C-4340-B075-41867E40AE0D"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}