cbcvebase.
CVE-2023-40278
published 2024-03-19

CVE-2023-40278: An issue was discovered in OpenClinic GA 5.247.01. An Information Disclosure vulnerability has been identified in the printAppointmentPdf.jsp component of…

PriorityP353high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.00%
85.7th percentile
An issue was discovered in OpenClinic GA 5.247.01. An Information Disclosure vulnerability has been identified in the printAppointmentPdf.jsp component of OpenClinic GA. By changing the AppointmentUid parameter, an attacker can determine whether a specific appointment exists based on the error message.

Affected

1 ranges
VendorProductVersion rangeFixed in
openclinic_ga_projectopenclinic_ga

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://[IP]:10088/openclinic/planning/printAppointmentPdf.jsp?AppointmentUid=1.1
path/openclinic/planning/printAppointmentPdf.jsp
port10088
  • Alert on unauthenticated or repeated access to printAppointmentPdf.jsp from a single source IP, particularly across multiple distinct AppointmentUid values, as this pattern is consistent with appointment enumeration.
  • ·The vulnerability is specific to OpenClinic GA version 5.247.01; verify the deployed version before applying detections to avoid false positives on patched or unaffected versions.
  • ·The exploit was tested on Windows 10 and Windows 11 hosts; detection rules targeting process or file artifacts should be scoped accordingly.
  • ·The information disclosure relies purely on differential error message responses (oracle behaviour), not on direct data exfiltration; detections must inspect HTTP response bodies, not just request parameters.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.