CVE-2024-23747 – This IDOR vulnerability in ModernaNet Hospital ... (How to Fix)

Q: What is the severity of CVE-2024-23747?

CVE-2024-23747 has a CVSS score of 7.5 (HIGH). This IDOR vulnerability in ModernaNet Hospital Management System allows attackers to access sensitive medical records by manipulating URL parameters. Healthcare organizations using this system are affected, potentially exposing patient confidentiality and violating privacy regulations.

📋 TL;DR

This IDOR vulnerability in ModernaNet Hospital Management System allows attackers to access sensitive medical records by manipulating URL parameters. Healthcare organizations using this system are affected, potentially exposing patient confidentiality and violating privacy regulations.

💻 Affected Systems

Products:

Moderna Sistemas ModernaNet Hospital Management System

Versions: 2024 version

Operating Systems: Unknown - likely web-based

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web interface component handling medical report access

📦 What is this software?

Modernanet Hospital Management System 2024 by Modernasistemas

View all CVEs affecting Modernanet Hospital Management System 2024 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass exfiltration of all patient medical records, leading to identity theft, medical fraud, regulatory violations, and complete loss of patient trust.

🟠

Likely Case

Targeted access to specific patient records for blackmail, insurance fraud, or competitive intelligence gathering.

🟢

If Mitigated

Limited exposure of non-critical patient data with proper access controls and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some authentication but minimal technical skill

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://modernasistemas.com.br/sitems/

Restart Required: No

Instructions:

Contact Moderna Sistemas for security updates and apply any available patches immediately

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block or monitor requests to /Modernanet/LAUDO/LAU0000100/Laudo with suspicious id parameters

WAF-specific configuration required

Access Control Enhancement

all

Implement server-side authorization checks for all medical record access requests

Application code modification required

🧯 If You Can't Patch

Implement strict network segmentation to isolate the ModernaNet system from untrusted networks
Deploy comprehensive logging and monitoring for all access to medical record endpoints

🔍 How to Verify

Check if Vulnerable:

Test if changing the 'id' parameter in /Modernanet/LAUDO/LAU0000100/Laudo?id= allows access to unauthorized medical records

Check Version:

Check system version in application interface or contact vendor

Verify Fix Applied:

Verify that server-side authorization checks prevent unauthorized record access regardless of id parameter manipulation

📡 Detection & Monitoring

Log Indicators:

Rapid sequential access to multiple medical record IDs
Access patterns showing ID enumeration

Network Indicators:

Unusual volume of requests to medical record endpoints
Requests with sequential or unusual ID parameters

SIEM Query:

source="modernanet" AND uri="/Modernanet/LAUDO/LAU0000100/Laudo" AND (id_parameter_changes > threshold OR rapid_id_enumeration)

📊 Metadata

CVE ID: CVE-2024-23747

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-639

Published: January 29, 2024

Last Updated: June 20, 2025

🔗 References

https://github.com/louiselalanne/CVE-2024-23747 Exploit,Third Party Advisory
https://modernasistemas.com.br/sitems/ Product
https://github.com/louiselalanne/CVE-2024-23747 Exploit,Third Party Advisory
https://modernasistemas.com.br/sitems/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23747, you might also want to check these: