| CVE ID | CVE-2025-2313 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2025.MS1 |
| Vulnerability type (CWE) | Improper Control of Generation of Code ('Code Injection') (CWE-94) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30036 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2024.MS4 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30037 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2025.MS2 |
| Vulnerability type (CWE) | Missing Authentication for Critical Function (CWE-306) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30038 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2025.MS1 |
| Vulnerability type (CWE) | Exposure of Sensitive Information Through Metadata (CWE-1230) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30039 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2024.MS4 |
| Vulnerability type (CWE) | Missing Authentication for Critical Function (CWE-306) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30040 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2024.MS4 |
| Vulnerability type (CWE) | Missing Authentication for Critical Function (CWE-306) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30041 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2025.MS1 |
| Vulnerability type (CWE) | Missing Authentication for Critical Function (CWE-306) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30048 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2025.MS2 |
| Vulnerability type (CWE) | Missing Authentication for Critical Function (CWE-306) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30055 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2024.MS4 |
| Vulnerability type (CWE) | Improper Control of Generation of Code ('Code Injection') (CWE-94) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30056 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2024.MS4.33 |
| Vulnerability type (CWE) | Improper Control of Generation of Code ('Code Injection') (CWE-94) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30057 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2024.MS4 |
| Vulnerability type (CWE) | Improper Control of Generation of Code ('Code Injection') (CWE-94) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30058 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2024.MS4 |
| Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30059 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2024.MS4 |
| Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30060 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2024.MS4 |
| Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30061 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2024.MS4 |
| Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30063 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2024.MS4 |
| Vulnerability type (CWE) | Incorrect Permission Assignment for Critical Resource (CWE-732) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30064 |
| Publication date | 27 August 2025 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2025.MS2 |
| Vulnerability type (CWE) | Hidden Functionality (CWE-912) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in CGM CLININET software and participated in coordination of their disclosure.
The vulnerability CVE-2025-2313: In the Print.pl service, the uhcPrintServerPrint function allows execution of arbitrary code via the CopyCounter parameter.
The vulnerability CVE-2025-30036: Stored XSS vulnerability exists in the Oddział (Ward) module, in the death diagnosis description field, and allows the execution of arbitrary JavaScript code. This can lead to session hijacking of other users and potentially to privilege escalation up to full administrative rights.
The vulnerability CVE-2025-30037: The system exposes several endpoints, typically including /int/ in their path, that should be restricted to internal services, but are instead publicly accessible without authentication to any host able to reach the application server on port 443/tcp.
The vulnerability CVE-2025-30038: The vulnerability consists of a session ID leak when saving a file downloaded from CGM CLININET. The identifier is exposed through a built-in Windows security feature that stores additional metadata in an NTFS alternate data stream (ADS) for all files downloaded from potentially untrusted sources.
The vulnerability CVE-2025-30039: Unauthenticated access to the /cgi-bin/CliniNET.prd/GetActiveSessions.pl endpoint allows takeover of any user session logged into the system, including users with admin privileges.
The vulnerability CVE-2025-30040: The vulnerability allows unauthenticated users to download a file containing session ID data by directly accessing the /cgi-bin/CliniNET.prd/utils/userlogxls.pl endpoint.
The vulnerability CVE-2025-30041: The paths /cgi-bin/CliniNET.prd/utils/userlogstat.pl, /cgi-bin/CliniNET.prd/utils/usrlogstat.pl, and /cgi-bin/CliniNET.prd/utils/dblogstat.pl expose data containing session IDs.
The vulnerability CVE-2025-30048: The serverConfig endpoint, which returns the module configuration including credentials, is accessible without authentication.
The vulnerability CVE-2025-30055: The system function receives untrusted input from the user. If the EnableJSCaching option is enabled, it is possible to execute arbitrary code provided as the Module parameter.
The vulnerability CVE-2025-30056: The RunCommand function accepts any parameter, which is then passed for execution in the shell. This allows an attacker to execute arbitrary code on the system.
The vulnerability CVE-2025-30057: In UHCRTFDoc, the filename parameter can be exploited to execute arbitrary code via command injection into the system() call in the ConvertToPDF function.
The vulnerability CVE-2025-30058: In the PatientService.pl service, the getPatientIdentifier function is vulnerable to SQL injection through the pesel parameter.
The vulnerability CVE-2025-30059: In the PrepareCDExportJSON.pl service, the getPerfServiceIds function is vulnerable to SQL injection.
The vulnerability CVE-2025-30060: In the ReturnUserUnitsXML.pl service, the getUserInfo function is vulnerable to SQL injection through the UserID parameter.
The vulnerability CVE-2025-30061: In the utils/Reporter/OpenReportWindow.pl service, there is an SQL injection vulnerability through the UserID parameter.
The vulnerability CVE-2025-30063: The configuration file containing database logins and passwords is readable by any local user.
The vulnerability CVE-2025-30064: An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an attacker can use the ex:action parameter in the VerifyUserByThrustedService function to generate a session for any user.
Credits
We thank Maciej Kazulak for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.