Full Report
CERT Polska has received a report about 17 vulnerabilities (between CVE-2025-2313 and CVE-2025-30064) found in CGM CLININET software.
Analysis Summary
Due to the scope of the request (17 vulnerabilities between CVE-2025-2313 and CVE-2025-30064), this summary will detail the specific vulnerabilities described in the provided text excerpt, focusing on the most detailed entries available. For the sake of clarity and providing actionable information, I will structure the summary around the individual CVEs detailed in the text.
***
# Vulnerability Summary: Multiple Flaws in CGM CLININET (CVE-2025-2313 to CVE-2025-30064)
A total of 17 vulnerabilities were reported by CERT Polska affecting CGM CLININET software. The summary below details several critical flaws, including multiple instances of Code Injection, SQL Injection, and authentication bypasses.
---
## CVE Details (Sampled)
| CVE ID | Severity | CWE (Published) | Description Focus |
| :--- | :--- | :--- | :--- |
| **CVE-2025-2313** | N/A (Requires Score) | CWE-94 (Code Injection) | Arbitrary Code Execution via `Module` parameter if `EnableJSCaching` is active. |
| **CVE-2025-30036** | N/A (Requires Score) | CWE-79 (XSS) | Cross-site Scripting vulnerability. |
| **CVE-2025-30037** | N/A (Requires Score) | CWE-306 (Missing Auth) | Command Injection via `filename` parameter in `UHCRTFDoc` leading to code execution. |
| **CVE-2025-30038** | N/A (Requires Score) | CWE-1230 (Metadata Exposure) | Exposure of Sensitive Information Through Metadata. |
| **CVE-2025-30040** | N/A (Requires Score) | CWE-306 (Missing Auth) | Missing Authentication for Critical Function in `ReturnUserUnitsXML.pl`. |
| **CVE-2025-30055** | N/A (Requires Score) | CWE-94 (Code Injection) | Arbitrary Code Execution via `Module` parameter if `EnableJSCaching` is enabled. |
| **CVE-2025-30056** | N/A (Requires Score) | N/A (Implied Code Exec) | Arbitrary Code Execution via untrusted input passed to `RunCommand` and executed in the shell. |
| **CVE-2025-30057** | N/A (Requires Score) | N/A (Implied Command Injection) | Command Injection via `filename` parameter in `ConvertToPDF` function within `UHCRTFDoc`. |
| **CVE-2025-30058** | N/A (Requires Score) | N/A (Implied SQLi) | SQL Injection via the `pesel` parameter in the `PatientService.pl` service. |
| **CVE-2025-30064** | N/A (Requires Score) | N/A (Implied Auth Bypass) | Session generation for arbitrary users due to insufficient JWT algorithm verification in `VerifyUserByThrustedService`. |
---
## Affected Systems
- **Products:** CGM CLININET
- **Versions:**
* Prior to **2025.MS1** (Affected by CVE-2025-2313, CVE-2025-30038, CVE-2025-30041, CVE-2025-30055)
* Prior to **2024.MS4** (Affected by CVE-2025-30036, CVE-2025-30039, CVE-2025-30040, CVE-2025-30056, CVE-2025-30060, CVE-2025-30061)
* Prior to **2025.MS2** (Affected by CVE-2025-30037, CVE-2025-30048)
* Prior to **2024.MS4.33** (Affected by CVE-2025-30056)
- **Configurations:** Specific conditions vary by CVE (e.g., `EnableJSCaching` must be enabled for CVE-2025-2313/30055).
## Vulnerability Description (Technical Details for Key CVEs)
* **Code Injection (CVE-2025-2313, CVE-2025-30055):** The system executes user-supplied input (`Module` parameter) via the `system()` function when a specific configuration option (`EnableJSCaching`) is active, resulting in Remote Code Execution.
* **Command Injection (CVE-2025-30057):** The `ConvertToPDF` function in `UHCRTFDoc` fails to properly sanitize the `filename` parameter before passing it to a `system()` call, allowing command injection.
* **SQL Injection (CVE-2025-30058, 30059, 30060, 30061):** Multiple services (`PatientService.pl`, `PrepareCDExportJSON.pl`, `ReturnUserUnitsXML.pl`, `Reporter/OpenReportWindow.pl`) suffer from SQL injection due to unsanitized user input in parameters like `pesel` or `UserID`.
* **Authentication Bypass (CVE-2025-30064):** The `VerifyUserByThrustedService` function processes JWTs in the `ex:action` parameter without correctly verifying the signing algorithm, enabling an attacker to forge a valid session token for any user.
* **Misconfiguration (CVE-2025-30063):** Database credentials (logins and passwords) are stored in a configuration file accessible to any local user, leading to full database compromise potential.
## Exploitation
- **Status:** In the absence of specific CVSS scores or public exploit disclosure, the status is **Unknown / PoC likely available** for code execution and SQLi flaws.
- **Complexity:** Likely **Low to Medium** for remote code execution and SQL injection vectors, especially if authentication bypass (CVE-2025-30064) is trivial.
- **Attack Vector:** Primarily **Network** (for web service related flaws like SQLi/Auth Bypass) and **Local** (for metadata exposure or configuration reading).
## Impact
- **Confidentiality:** High (Sensitive data exposure via SQLi and metadata exposure).
- **Integrity:** Critical (Arbitrary code execution allowing system modification or configuration changes).
- **Availability:** Potential impact depending on the scope of executed code/SQL commands.
## Remediation
### Patches
Patches are available by upgrading to the following versions or later:
* **2025.MS1** (or later)
* **2024.MS4** (or later)
* **2025.MS2** (or later)
* **2024.MS4.33** (or later)
### Workarounds
No specific workarounds were detailed in the provided text. General mitigations should include:
1. If applicable, disabling features related to the vulnerable endpoints (e.g., disabling caching related to `EnableJSCaching`).
2. Reviewing and restricting access to the database configuration file (to address CVE-2025-30063).
## Detection
- **Indicators of Compromise (IoCs):** (Not specified in the summary data, but generally look for) Unusual shell commands originating from the application process, unexpected database query patterns, or abnormal session creation requests.
- **Detection Methods and Tools:** Web Application Firewalls (WAFs) should be tuned to detect common SQL injection payloads and code execution attempts in input parameters. Network monitoring should flag unusual SMB/file access if local file access is compromised.
## References
- Vendor advisories are implied via the specific version updates provided.
- **Source:** CERT Polska Report.
- **Relevant Links (Defanged):**
* hxxps://www.cve.org/CVERecord?id=CVE-2025-2313 (and subsequent CVEs listed)
* hxxps://cert.pl/en/cve (General advisories link)