CVE-2023-40278

HIGH

Openclinic GA - Information Disclosure

Title source: rule

Description

An issue was discovered in OpenClinic GA 5.247.01. An Information Disclosure vulnerability has been identified in the printAppointmentPdf.jsp component of OpenClinic GA. By changing the AppointmentUid parameter, an attacker can determine whether a specific appointment exists based on the error message.

Exploits (1)

exploitdb WRITEUP

by VB · webappsphp

https://www.exploit-db.com/exploits/51994

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://github.com/BugBountyHunterCVE/CVE-2023-40278/blob/main/CVE-2023-40278_Information-Disclosure_OpenClinic-GA_5.247.01_Report.md

[Product] https://sourceforge.net/projects/open-clinic/

Scores

CVSS v3 7.5

EPSS 0.1134

EPSS Percentile 93.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (1)

openclinic_ga_project/openclinic_ga 5.247.01

Published Mar 19, 2024

Tracked Since Feb 18, 2026