Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables the export of user data, including cleartext passwords, via the SQL editor. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.
AnalysisAI
Privilege misassignment in Mesalvo Meona Client Launcher and Server components allows authenticated high-privilege users to abuse the built-in SQL editor to exfiltrate user records - including cleartext-stored passwords - from the application backend. The flaw affects Meona Client Launcher up to build dated 19.06.2020 15:11:49 and Meona Server Component up to 2025.04 5+323020. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Meona is a clinical/healthcare information system distributed by Mesalvo as a thick-client launcher paired with a server backend; the launcher provides administrative tooling that includes an SQL editor used to query the backing database. The root cause is CWE-266 (Incorrect Privilege Assignment), meaning a role or session is granted permissions broader than intended - here, the SQL editor function is reachable by accounts that should not have the ability to dump arbitrary tables. Compounding the issue, the underlying user table stores credentials in cleartext rather than as salted hashes, so SELECT access is sufficient to harvest reusable passwords.
RemediationAI
No vendor-released patch version is identified at time of analysis in the supplied references, so organizations should contact Mesalvo directly for a fixed Client Launcher build dated after 19.06.2020 15:11:49 and a Server Component build above 2025.04 5+323020, citing the research write-up at https://seccore.at/blog/cves-meona/. As compensating controls until a confirmed fix is deployed, restrict the SQL editor functionality to a minimal break-glass admin group (network-segment the launcher and require jump-host access), audit and reduce the number of accounts holding the high-privilege role exploitable here, and force a password reset for all Meona users with the assumption that previously stored credentials may be compromised; long-term the vendor must migrate the user table from cleartext to a salted password hash, since restricting the SQL editor alone does not remove the underlying credential-storage weakness.
Code injection in Mesalvo Meona Client Launcher Component (through 19.06.2020 15:11:49) and Meona Server Component (thro
Privilege escalation in Mesalvo Meona Client Launcher and Server components allows a low-privileged authenticated user t
Cleartext storage of sensitive information in memory (CWE-316) affects both the Meona Client Launcher Component and the
Mesalvo Meona's Client Launcher and Server components fail to verify data authenticity (CWE-345), enabling a locally aut
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31092
GHSA-74c8-2c8j-qpj7