Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Presentation:
Security vulnerability: Sensitive Data Exposure.
Vulnerability Type: Sensitive Data Exposure by Broken Access Control.
Affected Component: Affected source code pages.
Software: MV's IDCE.
Version: 1.0 (discontinued).
Bussiness area: Health, Medicine.
Describe the bug/issue:
Information disclosure in aspx pages of MV's IDCE application v1.0 allows an attacker to copy and paste aspx pages in the end of the URL application that connect directly
to the database, revealing internal and sensitive information of users and patients without been logged into the web application.
Have you searched the internet or Github for an answer?
Yes.
To Reproduce:
Without been logged into the IDCE application, open the URL and access:
http://your_domain/idce/Medicos.aspx or;
http://your_domain/idce/SegUsuario.aspx
Internal information will be disclosed by the IDCE application, like names, usernames, birth date, brazilian regional Council of medicine (CRM), brazilian registration
of individuals (CPF), etc.
Expected behavior:
Internal information should not be disclosed without proper authentication and authorization.
Bug Fix:
No bug fix. Discontinued software.
CVE ID: CVE-2020-23284