CGM CLININET Session Generation Vulnerability for Arbitrary Users

Vulnerability

A vulnerability in CGM CLININET allows for the generation of sessions for arbitrary users due to an insufficiently secured internal function. The issue arises because the decodeParam function checks the JSON Web Token (JWT) but fails to verify the signing algorithm used. This flaw enables attackers to manipulate the 'ex:action' parameter in the VerifyUserByThrustedService function to create a session for any user. This vulnerability affects all versions of CGM CLININET prior to 2025.M2.

Impact

Exploitation of this vulnerability allows for unauthorized session generation, potentially leading to session hijacking.

Added: Aug 27, 2025, 11:18 AM

Updated: Aug 27, 2025, 11:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CGM CLININET Session Generation Vulnerability for Arbitrary Users

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating