Auth bypass in Hasomed Elefant

CVE-2024-50589

An unauthenticated attacker with access to the local network of the medical office can query an unprotected Fast Healthcare Interoperability Resources (FHIR) API to get access to sensitive electronic health records (EHR).

Vulnerability class: Broken Authentication

EPSS: 0.002 (41.3th percentile) — read the EPSS interpretation.

Affected products

Hasomed Elefant — versions <24.04.00

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

r.sec-consult.com/hasomed (third-party-advisory)
hasomed.de/produkte/elefant/ (patch)