CVE-2025-12922

Summary

A vulnerability was found in OpenClinica Community Edition up to 3.12.2/3.13. This affects an unknown part of the file /ImportCRFData?action=confirm of the component CRF Data Import. Performing manipulation of the argument xml_file results in path traversal. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
OpenClinicaCommunity Edition3.0affected
OpenClinicaCommunity Edition3.1affected
OpenClinicaCommunity Edition3.2affected
OpenClinicaCommunity Edition3.3affected
OpenClinicaCommunity Edition3.4affected
OpenClinicaCommunity Edition3.5affected
OpenClinicaCommunity Edition3.6affected
OpenClinicaCommunity Edition3.7affected
OpenClinicaCommunity Edition3.8affected
OpenClinicaCommunity Edition3.9affected
OpenClinicaCommunity Edition3.10affected
OpenClinicaCommunity Edition3.11affected
OpenClinicaCommunity Edition3.12affected
OpenClinicaCommunity Edition3.12.0affected
OpenClinicaCommunity Edition3.12.1affected
OpenClinicaCommunity Edition3.12.2affected
OpenClinicaCommunity Edition3.13affected

Weaknesses

  • CWE-22: Path Traversal

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References