CVE-2023-0944

MEDIUM

Bhima 1.27.0 - Authenticated Insecure Direct Object Reference

Title source: llm

Description

Bhima version 1.27.0 allows an authenticated attacker with regular user permissions to update arbitrary user session data such as username, email and password. This is possible because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user.

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://fluidattacks.com/advisories/stewart/

Product

https://github.com/IMA-WorldHealth/bhima/

Scores

CVSS v3 4.3

EPSS 0.0048

EPSS Percentile 37.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-732

Status published

Products (1)

imaworldhealth/bhima 1.27.0

Published Apr 05, 2023

Tracked Since Feb 18, 2026