Vulnerabilities > CVE-2023-0967 - Authorization Bypass Through User-Controlled Key vulnerability in Imaworldhealth Bhima 1.27.0

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

imaworldhealth

CWE-639

NVD

Published: 2023-04-05

Updated: 2023-04-17

Summary

Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform.

Vulnerable Configurations

Part	Description	Count
Application	Imaworldhealth Imaworldhealth Bhima 1.27.0	1

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://github.com/IMA-WorldHealth/bhima/
https://fluidattacks.com/advisories/ingrosso/