Login Sign Up

CVE-2023-40278

7.5 HIGH

📋 TL;DR

This vulnerability in OpenClinic GA allows attackers to determine whether specific appointments exist by manipulating the AppointmentUid parameter in the printAppointmentPdf.jsp component. The system reveals appointment existence through error message differences, enabling information disclosure. This affects all users of OpenClinic GA version 5.247.01.

💻 Affected Systems

Products:
  • OpenClinic GA
Versions: 5.247.01
Operating Systems: All platforms running OpenClinic GA
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web interface component printAppointmentPdf.jsp specifically.

📦 What is this software?

Openclinic Ga by Openclinic Ga Project

View all CVEs affecting Openclinic Ga →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map all appointment records, potentially identifying patient schedules, treatment patterns, or sensitive medical visit information, leading to privacy violations and targeted attacks.

🟠

Likely Case

Attackers enumerate appointment IDs to discover active appointments, potentially identifying patient visit patterns or testing for specific individuals' medical appointments.

🟢

If Mitigated

With proper error handling and access controls, impact is limited to unsuccessful enumeration attempts with no useful information disclosure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple parameter manipulation with predictable error responses makes exploitation trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://sourceforge.net/projects/open-clinic/

Restart Required: No

Instructions:

No official patch available. Monitor OpenClinic project updates for security fixes.

🔧 Temporary Workarounds

Implement Uniform Error Responses

all

Modify printAppointmentPdf.jsp to return identical error messages regardless of appointment existence

Edit printAppointmentPdf.jsp to standardize error responses

Access Control Enhancement

all

Add authentication/authorization checks before processing appointment requests

Implement session validation in printAppointmentPdf.jsp

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to detect and block parameter manipulation attempts
  • Restrict access to printAppointmentPdf.jsp to authenticated users only via network controls

🔍 How to Verify

Check if Vulnerable:

Test by accessing printAppointmentPdf.jsp with valid and invalid AppointmentUid parameters and compare error messages

Check Version:

Check OpenClinic GA version in administration interface or configuration files

Verify Fix Applied:

Verify that both valid and invalid AppointmentUid values return identical error responses

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed requests to printAppointmentPdf.jsp with sequential AppointmentUid values
  • Unusual parameter manipulation patterns in access logs

Network Indicators:

  • HTTP requests to printAppointmentPdf.jsp with manipulated AppointmentUid parameters

SIEM Query:

source="web_logs" AND uri="*printAppointmentPdf.jsp*" AND (param="AppointmentUid" OR query_contains="AppointmentUid")

📊 Metadata

CVE ID: CVE-2023-40278
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
Published: March 19, 2024
Last Updated: April 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40278, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)