CVE-2021-40375

MEDIUM

Apperta Foundation OpenEyes 3.5.1 - Info Disclosure

Title source: llm

Description

Apperta Foundation OpenEyes 3.5.1 allows remote attackers to view the sensitive information of patients without having the intended level of privilege. Despite OpenEyes returning a Forbidden error message, the contents of a patient's profile are still returned in the server response. This response can be read in an intercepting proxy or by viewing the page source. Sensitive information returned in responses includes patient PII and medication records or history.

Exploits (1)

nomisec WRITEUP 2 stars

by DCKento · poc

https://github.com/DCKento/CVE-2021-40375

View Code ZIP pw:eip

References (2)

Core 2

Core References

Product, Vendor Advisory x_refsource_misc

https://openeyes.apperta.org/

Exploit, Third Party Advisory x_refsource_misc

https://github.com/DCKento/CVE-2021-40375

Scores

CVSS v3 6.5

EPSS 0.0064

EPSS Percentile 70.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (1)

apperta/openeyes 3.5.1

Published Apr 06, 2022

Tracked Since Feb 18, 2026