CVE-2021-40375

Name of the Vulnerable Software and Affected Versions Apperta Foundation OpenEyes version 3.5.1

Description The issue allows remote attackers to view sensitive patient information without the intended level of privilege. Although OpenEyes returns a Forbidden error message, it still includes the patient's profile contents in the server response, which can be accessed through an intercepting proxy or by viewing the page source. Sensitive information exposed includes patient personally identifiable information (PII) and medication records or history.

Recommendations For Apperta Foundation OpenEyes version 3.5.1, consider restricting access to patient profiles until a fix is available, and ensure that server responses do not include sensitive information even when a Forbidden error is returned.