CVE-2022-1067
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Navigating to a specific URL with a patient ID number will result in the server generating a PDF of a lab report without authentication and rate limiting.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| LifePoint Informatics | Patient Portal | All < LPI 3.5.12.P30 | affected |
Weaknesses
- CWE-288: CWE-288 Authentication Bypass Using an Alternate Path or Channel
Workarounds
LifePoint Informatics released and deployed updated Version LPI 3.5.15 in February of 2022, which mitigated this vulnerability. LifePoint Informatics Patient Portal is a hosted application and users don’t need to take any action.
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.