MidnightBSD

Advisories for mieweb

CVE-2025-35029

Medical Informatics Engineering Enterprise Health has a stored cross site scripting vulnerability that allows an authenticated attacker to add arbitrary content in the 'Demographic Information' page. This content will be rendered and executed when a victim accesses it. This issue is fixed as of 2025-03-14.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N 2.1 1.4

Products Affected

Vendor Product Version
mieweb enterprise_health rc202403
mieweb enterprise_health rc202309
mieweb enterprise_health rc202503
mieweb enterprise_health rc202409
CVE-2025-35030

Medical Informatics Engineering Enterprise Health has a cross site request forgery vulnerability that allows an unauthenticated attacker to trick administrative users into clicking a crafted URL and perform actions on behalf of that administrative user. This issue is fixed as of 2025-04-08.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
mieweb enterprise_health rc202403
mieweb enterprise_health rc202309
mieweb enterprise_health rc202503
mieweb enterprise_health rc202303
mieweb enterprise_health rc202409
CVE-2025-35031

Medical Informatics Engineering Enterprise Health includes the user's current session token in debug output. An attacker could convince a user to send this output to the attacker, thus allowing the attacker to impersonate that user. This issue is fixed as of 2025-04-08.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 1.8 1.4

Products Affected

Vendor Product Version
mieweb enterprise_health rc202403
mieweb enterprise_health rc202503
mieweb enterprise_health rc202409
CVE-2025-35032

Medical Informatics Engineering Enterprise Health allows authenticated users to upload arbitrary files. The impact of this behavior depends on how files are accessed. This issue is fixed as of 2025-04-08.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 3.4 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N 1.7 1.4

Products Affected

Vendor Product Version
mieweb enterprise_health rc202403
mieweb enterprise_health rc202309
mieweb enterprise_health rc202503
mieweb enterprise_health rc202303
mieweb enterprise_health rc202409
CVE-2025-35033

Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. This issue is fixed as of 2025-03-14.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 4.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N 2.3 1.4

Products Affected

Vendor Product Version
mieweb enterprise_health rc202403
mieweb enterprise_health rc202309
mieweb enterprise_health rc202503
mieweb enterprise_health rc202303
mieweb enterprise_health rc202409
CVE-2025-35034

Medical Informatics Engineering Enterprise Health has a reflected cross site scripting vulnerability in the 'portlet_user_id' URL parameter. A remote, unauthenticated attacker can craft a URL that can execute arbitrary JavaScript in the victim's browser. This issue is fixed as of 2025-03-14.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
mieweb enterprise_health rc202403
mieweb enterprise_health rc202309
mieweb enterprise_health rc202503
mieweb enterprise_health rc202409