| CVE ID | CVE-2024-1228 |
| Publication date | 10 June 2024 |
| Vendor | EuroSoft Sp. z o. o. |
| Product | Eurosoft Przychodnia |
| Vulnerable versions | All to 20240417.001 |
| Vulnerability type (CWE) | Use of Hard-coded Credentials (CWE-798) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2024-3699 |
| Publication date | 10 June 2024 |
| Vendor | drEryk sp. z o.o. |
| Product | drEryk Gabinet |
| Vulnerable versions | From 7.0.0.0 through 9.17.0.0. |
| Vulnerability type (CWE) | Use of Hard-coded Credentials (CWE-798) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2024-3700 |
| Publication date | 10 June 2024 |
| Vendor | Estomed Sp. z o.o. |
| Product | Simple Care |
| Vulnerable versions | All versions |
| Vulnerability type (CWE) | Use of Hard-coded Credentials (CWE-798) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in medical clinics software and participated in coordination of their disclosure.
These vulnerabilities are based on the same issue and involve the use of hard-coded password to the patients' database, which allows an attacker to retrieve sensitive data stored in the database. The password is the same among all software installations.
The vulnerability CVE-2024-1228 affects Eurosoft Przychodnia software before version 20240417.001 (from that version vulnerability is fixed).
The vulnerability CVE-2024-3699 affects drEryk Gabinet from version 7.0.0.0 through 9.17.0.0. Version 9.18.0.0 contains security patches.
The vulnerability CVE-2024-3700 affects Estomed Sp. z o.o. Simple Care software in all versions. The software is no longer supported.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.