CVE-2023-0944

Published: Apr 5, 2023Modified: Feb 13, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Bhima version 1.27.0 allows an authenticated attacker with regular user permissions to update arbitrary user session data such as username, email and password. This is possible because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user.

Affected (1)

Products: Imaworldhealth: Bhima

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Imaworldhealth Bhima	Version 1.27.0

Related CWEs

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (4)

https://fluidattacks.com/advisories/stewart/

Source: help@fluidattacks.com

ExploitThird Party Advisory

https://github.com/IMA-WorldHealth/bhima/

Source: help@fluidattacks.com

Product

https://fluidattacks.com/advisories/stewart/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/IMA-WorldHealth/bhima/

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.