Clininet
CVE-2025-30042
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The CGM CLININET system provides smart card authentication; however, authentication is conducted locally on the client device, and, in reality, only the certificate number is used for access verification. As a result, possession of the certificate number alone is sufficient for authentication, regardless of the actual presence of the smart card or ownership of the private key.
AnalysisAI
The CGM CLININET system provides smart card authentication; however, authentication is conducted locally on the client device, and, in reality, only the certificate number is used for access verification. [CVSS 7.8 HIGH]
Technical ContextAI
Affects Clininet. The CGM CLININET system provides smart card authentication; however, authentication is conducted locally on the client device, and, in reality, only the certificate number is used for access verification. As a result, possession of the certificate number alone is sufficient for authentication, regardless of the actual presence of the smart card or ownership of the private key.
RemediationAI
Monitor vendor advisories for a patch.
The CGM CLININET application uses direct, sequential object identifiers "MessageID" without proper authorization checks.
The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security
The CGM CLININET application respond without essential security HTTP headers, exposing users to client‑side attacks such
Same weakness CWE-603 – Use of Client-Side Authentication
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today