CVE-2023-0967

MEDIUM

Imaworldhealth Bhima - IDOR

Title source: rule

Description

Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform.

References (2)

Core 2

Core References

Exploit

https://fluidattacks.com/advisories/ingrosso/

Product

https://github.com/IMA-WorldHealth/bhima/

Scores

CVSS v3 6.5

EPSS 0.0016

EPSS Percentile 37.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (1)

imaworldhealth/bhima 1.27.0

Published Apr 05, 2023

Tracked Since Feb 18, 2026