CVE-2025-35033

Summary

Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. This issue is fixed as of 2025-03-14.

Affected Software

VendorProductVersion RangeStatus
Medical Informatics EngineeringEnterprise HealthRC202503 < RC202503 2025-03-14affected
Medical Informatics EngineeringEnterprise HealthRC202409 < RC202409 2025-03-14affected
Medical Informatics EngineeringEnterprise HealthRC202403 < RC202403 2025-03-14affected
Medical Informatics EngineeringEnterprise HealthRC202309 < RC202309 2025-03-14affected
Medical Informatics EngineeringEnterprise HealthRC202303 < RC202303 2025-03-14affected
Medical Informatics EngineeringEnterprise HealthRC202503 2025-03-14unaffected
Medical Informatics EngineeringEnterprise HealthRC202409 2025-03-14unaffected
Medical Informatics EngineeringEnterprise HealthRC202403 2025-03-14unaffected
Medical Informatics EngineeringEnterprise HealthRC202309 2025-03-14unaffected
Medical Informatics EngineeringEnterprise HealthRC202303 2025-03-14unaffected

Weaknesses

  • CWE-1236: CWE-1236 Improper Neutralization of Formula Elements in a CSV File

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References