Klinika XP and KlinikaXP Insertino Hard-Coded Credentials Vulnerability

A vulnerability exists in Klinika XP and KlinikaXP Insertino due to hard-coded credentials that allow unauthorized access to several internal services. This access includes the FTP server where the application's update packages are stored. With these credentials, an attacker could upload a malicious update file, which might then be distributed and installed on client machines as a legitimate update. This vulnerability affects Klinika XP versions prior to 5.39.01.01 and KlinikaXP Insertino versions prior to 3.1.0.1.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services, including the FTP server hosting application update packages. This access could be used to upload malicious update files, potentially compromising client machines by installing the malicious files as legitimate updates.

Remediation

The hard-coded credentials have been removed from the code, and previously exposed credentials have been rotated to prevent further exploitation. Users are advised to update to Klinika XP version 5.39.09.49 or KlinikaXP Insertino version 3.1.0.1.