Trevor Lapay

**Name of the Vulnerable Software and Affected Versions** Medical Informatics Engineering Enterprise Health (affected versions not specified) **Description** An authenticated attacker can inject arbitrary content into the 'Demographic Information' page, leading to the execution of malicious code when a victim accesses the page. This is a stored cross-site scripting issue. **Recommendations** Update to a version released on or after 2025-03-14.

**Name of the Vulnerable Software and Affected Versions** Medical Informatics Engineering Enterprise Health (affected versions not specified) **Description** The software contains a cross site request forgery condition. An unauthenticated attacker can deceive administrative users into clicking a specially crafted URL, enabling the attacker to perform actions as that administrative user. **Recommendations** Update to a version released on or after 2025-04-08.

**Name of the Vulnerable Software and Affected Versions** Medical Informatics Engineering Enterprise Health (affected versions not specified) **Description** The software includes a user's current session token in debug output. An attacker could potentially convince a user to send this output to the attacker, enabling the attacker to impersonate that user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Medical Informatics Engineering Enterprise Health versions prior to 2025-04-08 **Description** Authenticated users are able to upload arbitrary files. The impact of this behavior is dependent on how these files are accessed. Approximately 2000 healthcare organizations worldwide utilize this software. There are no details about real-world exploitation of this issue. **Recommendations** Update to version 2025-04-08 or later.

**Name of the Vulnerable Software and Affected Versions** Medical Informatics Engineering Enterprise Health versions prior to 2025-03-14 **Description** A CSV injection issue exists that permits a remote, authenticated attacker to inject macros into downloadable CSV files. The issue was resolved on March 14, 2025. **Recommendations** Update to version 2025-03-14 or later.

**Name of the Vulnerable Software and Affected Versions** Medical Informatics Engineering Enterprise Health (affected versions not specified) **Description** A reflected cross site scripting issue exists in the 'portlet user id' URL parameter. An unauthenticated, remote attacker can create a malicious URL to execute arbitrary JavaScript code within a victim’s browser. The issue is addressed as of 2025-03-14. The vulnerable parameter is `portlet user id`. **Recommendations** Update to a version released on or after 2025-03-14.