CVE-2023-40280 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2023-40280?

CVE-2023-40280 has a CVSS score of 7.5 (HIGH). This vulnerability allows authenticated attackers to perform directory path traversal attacks in OpenClinic GA by manipulating the Page parameter in GET requests to popup.jsp. This could enable unauthorized file access on the server. Only OpenClinic GA version 5.247.01 is affected.

📋 TL;DR

This vulnerability allows authenticated attackers to perform directory path traversal attacks in OpenClinic GA by manipulating the Page parameter in GET requests to popup.jsp. This could enable unauthorized file access on the server. Only OpenClinic GA version 5.247.01 is affected.

💻 Affected Systems

Products:

OpenClinic GA

Versions: 5.247.01

Operating Systems: All platforms running OpenClinic GA

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authentication to exploit, but default installations are vulnerable.

📦 What is this software?

Openclinic Ga by Openclinic Ga Project

View all CVEs affecting Openclinic Ga →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains access to sensitive files including configuration files, patient records, or system files, potentially leading to data breach or system compromise.

🟠

Likely Case

Unauthorized reading of arbitrary files on the server, potentially exposing sensitive configuration or application data.

🟢

If Mitigated

Limited impact with proper file system permissions and input validation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://sourceforge.net/projects/open-clinic/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation to reject directory traversal sequences in the Page parameter

Modify popup.jsp to validate Page parameter against allowed values

Web Application Firewall Rule

all

Block requests containing directory traversal patterns

Configure WAF to block requests with ../, ..\, or similar patterns in parameters

🧯 If You Can't Patch

Restrict file system permissions to limit accessible directories
Implement network segmentation to isolate OpenClinic GA from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Test by sending GET request to popup.jsp with Page parameter containing directory traversal sequences like ../../../etc/passwd

Check Version:

Check OpenClinic GA version in application interface or configuration files

Verify Fix Applied:

Verify that directory traversal attempts are blocked or return error responses

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests to popup.jsp with suspicious Page parameter values containing ../ or similar patterns

Network Indicators:

Unusual file access patterns from authenticated users

SIEM Query:

source="web_logs" AND uri="/popup.jsp" AND query="*../*"

📊 Metadata

CVE ID: CVE-2023-40280

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: March 19, 2024

Last Updated: April 14, 2025

🔗 References

https://github.com/BugBountyHunterCVE/CVE-2023-40280/blob/main/CVE-2023-40280_Authenticated-Directory-Path-Traversal_OpenClinic-GA_5.247.01_Report.md Exploit,Third Party Advisory
https://sourceforge.net/projects/open-clinic/ Product
https://github.com/BugBountyHunterCVE/CVE-2023-40280/blob/main/CVE-2023-40280_Authenticated-Directory-Path-Traversal_OpenClinic-GA_5.247.01_Report.md Exploit,Third Party Advisory
https://sourceforge.net/projects/open-clinic/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40280, you might also want to check these: