What the vulnerability does
01Description
Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
What the vulnerability does
Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.
Explanation of Vulnerability in Simple Terms
KiviCare versions up to 4.2.1 contain an authorization flaw that allows authenticated users with low privileges to read, modify, or disrupt data they should not access. The vulnerability stems from insufficient access controls on sensitive operations. An authenticated attacker can exploit this without user interaction to gain unauthorized access to restricted information or functionality.
What an attacker can do
Read, modify, or disrupt data and functionality they should not have access to.
Potential impact on your site
Unauthorized users can access, change, or interfere with patient data, appointments, or system settings.
Conditions required to exploit
Attacker must have a low-privilege account on the KiviCare installation.
Key dates
External resources
Related vulnerabilities