CVE-2025-30060
Description
In the ReturnUserUnitsXML.pl service, the "getUserInfo" function is vulnerable to SQL injection through the "UserID" parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in CGM CLININET's ReturnUserUnitsXML.pl getUserInfo function via UserID parameter allows database access.
Vulnerability
Overview
The ReturnUserUnitsXML.pl service in CGM CLININET contains a SQL injection vulnerability in the getUserInfo function. The flaw arises because the UserID parameter is not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands.
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to the ReturnUserUnitsXML.pl endpoint with malicious SQL code embedded in the UserID parameter. No authentication is explicitly required to reach this service, making it accessible to unauthenticated remote attackers. The injection occurs during the processing of user input, bypassing intended query logic.
Impact
Successful exploitation enables an attacker to execute arbitrary SQL statements on the underlying database. This could lead to unauthorized access to sensitive patient data, modification of records, or further compromise of the database server. Given the healthcare context, data confidentiality and integrity are at risk.
Mitigation
The vendor, CGM, has been notified through CERT Polska [1]. Users are advised to apply the latest security update provided by CGM to remediate this vulnerability. No workarounds have been publicly documented.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.