va-25-272-01
Vulnerability from csaf_cisa
Published
2025-09-29 00:00
Modified
2025-09-29 00:00
Summary
Medical Informatics Engineering Enterprise Health multiple vulnerabilities
Notes
Legal Notice
All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).
Countries and Areas Deployed
Worldwide
Critical Infrastructure Sectors
Information Technology
Risk Evaluation
Medical Informatics Engineering Enterprise Health is an OEHR (Occupational Electronic Health Record) platform. Enterprise Health contains multiple vulnerabilities that could allow an attacker to inject executable content, obtain session tokens, and upload arbitrary files.
Recommended Practices
All instances of Medical Informatics Engineering Enterprise Health have been updated as of 2025-04-08. No further action is required to mitigate these vulnerabilities.
Company Headquarters Location
United States
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "legal_disclaimer",
"text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).",
"title": "Legal Notice"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries and Areas Deployed"
},
{
"category": "other",
"text": "Information Technology",
"title": "Critical Infrastructure Sectors"
},
{
"category": "summary",
"text": "Medical Informatics Engineering Enterprise Health is an OEHR (Occupational Electronic Health Record) platform. Enterprise Health contains multiple vulnerabilities that could allow an attacker to inject executable content, obtain session tokens, and upload arbitrary files.",
"title": "Risk Evaluation"
},
{
"category": "general",
"text": "All instances of Medical Informatics Engineering Enterprise Health have been updated as of 2025-04-08. No further action is required to mitigate these vulnerabilities.",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "United States",
"title": "Company Headquarters Location"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "https://www.cisa.gov/report",
"issuing_authority": "CISA",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "Vulnerability Advisory VA-25-272-01 CSAF",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-272-01.json"
}
],
"title": "Medical Informatics Engineering Enterprise Health multiple vulnerabilities",
"tracking": {
"current_release_date": "2025-09-29T00:00:00Z",
"generator": {
"engine": {
"name": "VINCE-NT",
"version": "1.10.0"
}
},
"id": "VA-25-272-01",
"initial_release_date": "2025-09-29T00:00:00Z",
"revision_history": [
{
"date": "2025-09-29T00:00:00Z",
"number": "1.0.0",
"summary": "Initial publication"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=RC202503|\u003cRC202503 2025-04-08",
"product": {
"name": "Medical Informatics Engineering Enterprise Health \u003e=RC202503|\u003cRC202503 2025-04-08",
"product_id": "CSAFPID-0001"
}
},
{
"category": "product_version_range",
"name": "\u003e=RC202409|\u003cRC202409 2025-04-08",
"product": {
"name": "Medical Informatics Engineering Enterprise Health \u003e=RC202409|\u003cRC202409 2025-04-08",
"product_id": "CSAFPID-0002"
}
},
{
"category": "product_version_range",
"name": "\u003e=RC202403|\u003cRC202403 2025-04-08",
"product": {
"name": "Medical Informatics Engineering Enterprise Health \u003e=RC202403|\u003cRC202403 2025-04-08",
"product_id": "CSAFPID-0003"
}
},
{
"category": "product_version_range",
"name": "\u003e=RC202309|\u003cRC202309 2025-04-08",
"product": {
"name": "Medical Informatics Engineering Enterprise Health \u003e=RC202309|\u003cRC202309 2025-04-08",
"product_id": "CSAFPID-0004"
}
},
{
"category": "product_version_range",
"name": "\u003e=RC202303|\u003cRC202303 2025-04-08",
"product": {
"name": "Medical Informatics Engineering Enterprise Health \u003e=RC202303|\u003cRC202303 2025-04-08",
"product_id": "CSAFPID-0005"
}
},
{
"category": "product_version",
"name": "RC202503 2025-04-08",
"product": {
"name": "Medical Informatics Engineering Enterprise Health RC202503 2025-04-08",
"product_id": "CSAFPID-0006"
}
},
{
"category": "product_version",
"name": "RC202409 2025-04-08",
"product": {
"name": "Medical Informatics Engineering Enterprise Health RC202409 2025-04-08",
"product_id": "CSAFPID-0007"
}
},
{
"category": "product_version",
"name": "RC202403 2025-04-08",
"product": {
"name": "Medical Informatics Engineering Enterprise Health RC202403 2025-04-08",
"product_id": "CSAFPID-0008"
}
},
{
"category": "product_version",
"name": "RC202309 2025-04-08",
"product": {
"name": "Medical Informatics Engineering Enterprise Health RC202309 2025-04-08",
"product_id": "CSAFPID-0009"
}
},
{
"category": "product_version",
"name": "RC202303 2025-04-08",
"product": {
"name": "Medical Informatics Engineering Enterprise Health RC202303 2025-04-08",
"product_id": "CSAFPID-0010"
}
},
{
"category": "product_version_range",
"name": "\u003c2025-04-08",
"product": {
"name": "Medical Informatics Engineering Enterprise Health \u003c2025-04-08",
"product_id": "CSAFPID-0011"
}
},
{
"category": "product_version",
"name": "2025-04-08",
"product": {
"name": "Medical Informatics Engineering Enterprise Health 2025-04-08",
"product_id": "CSAFPID-0012"
}
},
{
"category": "product_version_range",
"name": "\u003e=RC202503|\u003cRC202503 2025-03-14",
"product": {
"name": "Medical Informatics Engineering Enterprise Health \u003e=RC202503|\u003cRC202503 2025-03-14",
"product_id": "CSAFPID-0013"
}
},
{
"category": "product_version_range",
"name": "\u003e=RC202409|\u003cRC202409 2025-03-14",
"product": {
"name": "Medical Informatics Engineering Enterprise Health \u003e=RC202409|\u003cRC202409 2025-03-14",
"product_id": "CSAFPID-0014"
}
},
{
"category": "product_version_range",
"name": "\u003e=RC202403|\u003cRC202403 2025-03-14",
"product": {
"name": "Medical Informatics Engineering Enterprise Health \u003e=RC202403|\u003cRC202403 2025-03-14",
"product_id": "CSAFPID-0015"
}
},
{
"category": "product_version_range",
"name": "\u003e=RC202309|\u003cRC202309 2025-03-14",
"product": {
"name": "Medical Informatics Engineering Enterprise Health \u003e=RC202309|\u003cRC202309 2025-03-14",
"product_id": "CSAFPID-0016"
}
},
{
"category": "product_version_range",
"name": "\u003e=RC202303|\u003cRC202303 2025-03-14",
"product": {
"name": "Medical Informatics Engineering Enterprise Health \u003e=RC202303|\u003cRC202303 2025-03-14",
"product_id": "CSAFPID-0017"
}
},
{
"category": "product_version",
"name": "RC202503 2025-03-14",
"product": {
"name": "Medical Informatics Engineering Enterprise Health RC202503 2025-03-14",
"product_id": "CSAFPID-0018"
}
},
{
"category": "product_version",
"name": "RC202409 2025-03-14",
"product": {
"name": "Medical Informatics Engineering Enterprise Health RC202409 2025-03-14",
"product_id": "CSAFPID-0019"
}
},
{
"category": "product_version",
"name": "RC202403 2025-03-14",
"product": {
"name": "Medical Informatics Engineering Enterprise Health RC202403 2025-03-14",
"product_id": "CSAFPID-0020"
}
},
{
"category": "product_version",
"name": "RC202309 2025-03-14",
"product": {
"name": "Medical Informatics Engineering Enterprise Health RC202309 2025-03-14",
"product_id": "CSAFPID-0021"
}
},
{
"category": "product_version",
"name": "RC202303 2025-03-14",
"product": {
"name": "Medical Informatics Engineering Enterprise Health RC202303 2025-03-14",
"product_id": "CSAFPID-0022"
}
}
],
"category": "product_name",
"name": "Enterprise Health"
}
],
"category": "vendor",
"name": "Medical Informatics Engineering"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"George Thompson"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Trevor LaPay"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Fernando Martinez"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Gary Huang"
],
"organization": "Sandia National Laboratories"
}
],
"cve": "CVE-2025-35029",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "Medical Informatics Engineering Enterprise Health has a stored cross site scripting vulnerability that allows an authenticated attacker to add arbitrary content in the \u0027Demographic Information\u0027 page. This content will be rendered and executed when a victim accesses it. This issue is fixed as of 2025-03-14.",
"title": "Description"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:P/2025-08-20T19:03:10Z/",
"title": "SSVC"
}
],
"product_status": {
"fixed": [
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009"
],
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
"references": [
{
"category": "external",
"summary": "raw.githubusercontent.com",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-272-01.json"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35029"
}
],
"release_date": "2025-09-29T00:00:00Z",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0002"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0003"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0006"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0007"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0009"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"title": "Medical Informatics Engineering Enterprise Health stored cross site scripting via Demographic Information page"
},
{
"acknowledgments": [
{
"names": [
"George Thompson"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Trevor LaPay"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Fernando Martinez"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Gary Huang"
],
"organization": "Sandia National Laboratories"
}
],
"cve": "CVE-2025-35030",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"notes": [
{
"category": "summary",
"text": "Medical Informatics Engineering Enterprise Health has a cross site request forgery vulnerability that allows an unauthenticated attacker to trick administrative users into clicking a crafted URL and perform actions on behalf of that administrative user. This issue is fixed as of 2025-04-08.",
"title": "Description"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:T/2025-08-20T19:03:24Z/",
"title": "SSVC"
}
],
"product_status": {
"fixed": [
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010"
],
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
"references": [
{
"category": "external",
"summary": "raw.githubusercontent.com",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-272-01.json"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35030"
}
],
"release_date": "2025-09-29T00:00:00Z",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0002"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0003"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0005"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0006"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0007"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0009"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0010"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
}
],
"title": "Medical Informatics Engineering Enterprise Health cross site request forgery"
},
{
"acknowledgments": [
{
"names": [
"George Thompson"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Trevor LaPay"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Fernando Martinez"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Gary Huang"
],
"organization": "Sandia National Laboratories"
}
],
"cve": "CVE-2025-35031",
"cwe": {
"id": "CWE-1295",
"name": "Debug Messages Revealing Unnecessary Information"
},
"notes": [
{
"category": "summary",
"text": "Medical Informatics Engineering Enterprise Health includes the user\u0027s current session token in debug output. An attacker could convince a user to send this output to the attacker, thus allowing the attacker to impersonate that user. This issue is fixed as of 2025-04-08.",
"title": "Description"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:P/2025-08-20T19:03:36Z/",
"title": "SSVC"
}
],
"product_status": {
"fixed": [
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008"
],
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003"
]
},
"references": [
{
"category": "external",
"summary": "raw.githubusercontent.com",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-272-01.json"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35031"
}
],
"release_date": "2025-09-29T00:00:00Z",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0002"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0003"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0006"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0007"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0008"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003"
]
}
],
"title": "Medical Informatics Engineering Enterprise Health includes session token in debug output"
},
{
"acknowledgments": [
{
"names": [
"George Thompson"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Trevor LaPay"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Fernando Martinez"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Gary Huang"
],
"organization": "Sandia National Laboratories"
}
],
"cve": "CVE-2025-35032",
"cwe": {
"id": "CWE-434",
"name": "Unrestricted Upload of File with Dangerous Type"
},
"notes": [
{
"category": "summary",
"text": "Medical Informatics Engineering Enterprise Health allows authenticated users to upload arbitrary files. The impact of this behavior depends on how files are accessed. This issue is fixed as of 2025-04-08.",
"title": "Description"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:P/2025-08-20T19:04:18Z/",
"title": "SSVC"
}
],
"product_status": {
"fixed": [
"CSAFPID-0012"
],
"known_affected": [
"CSAFPID-0011"
]
},
"references": [
{
"category": "external",
"summary": "raw.githubusercontent.com",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-272-01.json"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35032"
}
],
"release_date": "2025-09-29T00:00:00Z",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0011"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0012"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0011"
]
}
],
"title": "Medical Informatics Engineering Enterprise Health arbitrary file upload"
},
{
"acknowledgments": [
{
"names": [
"George Thompson"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Trevor LaPay"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Fernando Martinez"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Gary Huang"
],
"organization": "Sandia National Laboratories"
}
],
"cve": "CVE-2025-35033",
"cwe": {
"id": "CWE-1236",
"name": "Improper Neutralization of Formula Elements in a CSV File"
},
"notes": [
{
"category": "summary",
"text": "Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. This issue is fixed as of 2025-03-14.",
"title": "Description"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:P/2025-08-20T19:04:42Z/",
"title": "SSVC"
}
],
"product_status": {
"fixed": [
"CSAFPID-0018",
"CSAFPID-0019",
"CSAFPID-0020",
"CSAFPID-0021",
"CSAFPID-0022"
],
"known_affected": [
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016",
"CSAFPID-0017"
]
},
"references": [
{
"category": "external",
"summary": "raw.githubusercontent.com",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-272-01.json"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35033"
}
],
"release_date": "2025-09-29T00:00:00Z",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-14T00:00:00Z",
"details": "Fixed on 2025-03-14.",
"product_ids": [
"CSAFPID-0013"
]
},
{
"category": "vendor_fix",
"date": "2025-03-14T00:00:00Z",
"details": "Fixed on 2025-03-14.",
"product_ids": [
"CSAFPID-0014"
]
},
{
"category": "vendor_fix",
"date": "2025-03-14T00:00:00Z",
"details": "Fixed on 2025-03-14.",
"product_ids": [
"CSAFPID-0015"
]
},
{
"category": "vendor_fix",
"date": "2025-03-14T00:00:00Z",
"details": "Fixed on 2025-03-14.",
"product_ids": [
"CSAFPID-0016"
]
},
{
"category": "vendor_fix",
"date": "2025-03-14T00:00:00Z",
"details": "Fixed on 2025-03-14.",
"product_ids": [
"CSAFPID-0017"
]
},
{
"category": "vendor_fix",
"date": "2025-03-14T00:00:00Z",
"details": "Fixed on 2025-03-14.",
"product_ids": [
"CSAFPID-0018"
]
},
{
"category": "vendor_fix",
"date": "2025-03-14T00:00:00Z",
"details": "Fixed on 2025-03-14.",
"product_ids": [
"CSAFPID-0019"
]
},
{
"category": "vendor_fix",
"date": "2025-03-14T00:00:00Z",
"details": "Fixed on 2025-03-14.",
"product_ids": [
"CSAFPID-0020"
]
},
{
"category": "vendor_fix",
"date": "2025-03-14T00:00:00Z",
"details": "Fixed on 2025-03-14.",
"product_ids": [
"CSAFPID-0021"
]
},
{
"category": "vendor_fix",
"date": "2025-03-14T00:00:00Z",
"details": "Fixed on 2025-03-14.",
"product_ids": [
"CSAFPID-0022"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016",
"CSAFPID-0017"
]
}
],
"title": "Medical Informatics Engineering Enterprise Health CSV injection"
},
{
"acknowledgments": [
{
"names": [
"George Thompson"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Trevor LaPay"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Fernando Martinez"
],
"organization": "Sandia National Laboratories"
},
{
"names": [
"Gary Huang"
],
"organization": "Sandia National Laboratories"
}
],
"cve": "CVE-2025-35034",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "Medical Informatics Engineering Enterprise Health has a reflected cross site scripting vulnerability in the \u0027portlet_user_id\u0027 URL parameter. A remote, unauthenticated attacker can craft a URL that can execute arbitrary JavaScript in the victim\u0027s browser. This issue is fixed as of 2025-03-14.",
"title": "Description"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:P/2025-08-20T19:05:33Z/",
"title": "SSVC"
}
],
"product_status": {
"fixed": [
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009"
],
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
"references": [
{
"category": "external",
"summary": "raw.githubusercontent.com",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-272-01.json"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35034"
}
],
"release_date": "2025-09-29T00:00:00Z",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0002"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0003"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0006"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0007"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0008"
]
},
{
"category": "vendor_fix",
"date": "2025-04-08T00:00:00Z",
"details": "Fixed on 2025-04-08.",
"product_ids": [
"CSAFPID-0009"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"title": "Medical Informatics Engineering Enterprise Health reflected cross site scripting via portlet_user_id"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…