9.3
CVE-2025-14532 - Remote Code Execution via Unrestricted File Upload in DobryCMS
DobryCMS's upload file functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can result in Remote Code Execution. This issue was fixed in versions above 5.0.
9.3
CVE-2025-12462 - Blind SQL Injection in DobryCMS
A Blind SQL injection vulnerability has been identified in DobryCMS. A remote unauthenticated attacker is able to inject SQL syntax into URL path resulting in Blind SQL Injection. This issue was fixed in versions above 8.0.
5.3
CVE-2025-58406 - Lack of HTTP Response Headers
The CGM CLININET application respond without essential security HTTP headers, exposing users to clientโside attacks such as clickjacking, MIME sniffing, unsafe caching, weak crossโorigin isolation, and missing transport security controls.
5.3
CVE-2025-58405 - Lack of protection mechanisms against Clickjacking attacks
The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frameโbusting protections were detected. As a result, an attacker can embed the application inside a maliciously crafted IFRAME and trick users into performโฆ
7.1
CVE-2025-58402 - Insecure Direct Object Reference Message ID
The CGM CLININET application uses direct, sequential object identifiers "MessageID" without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users.
6.9
CVE-2025-30062 - SQL injection in CheckUnitCodeAndKey.pl
In the "CheckUnitCodeAndKey.pl" service, the "validateOrgUnit" function is vulnerable to SQL injection.
9.4
CVE-2025-30044 - RCE on uhcapache user permissions
In the endpoints "/cgi-bin/CliniNET.prd/utils/usrlogstat_simple.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", "/cgi-bin/CliniNET.prd/utils/userlogstat2.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl", the parameters are not sufficiently normalized, which enables code injection.
9
CVE-2025-30042 - Session generation possible with certificate number only
The CGM CLININET system provides smart card authentication; however, authentication is conducted locally on the client device, and, in reality, only the certificate number is used for access verification. As a result, possession of the certificate number alone is sufficient for authentication, regaโฆ
9
CVE-2025-30035 - Lack of API authentication allowing session generation for any user
The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and grants access to the sโฆ
6.1
CVE-2026-3442 - binutils: GNU Binutils: Information disclosure or denial of service via out-of-bounds read in bfd lโฆ
No description is available for this CVE.