Description
Clinic Pro contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the month parameter. Attackers can send POST requests to the monthly_expense_overview endpoint with crafted month values using boolean-based blind, time-based blind, or error-based SQL injection techniques to extract sensitive database information.
Published: 2026-03-12
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Disclosure via SQL Injection
Action: Patch ASAP
AI Analysis

Impact

Clinic Pro contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the month parameter of the monthly_expense_overview endpoint. This weakness, classified as CWE-89, can be exploited using boolean-based blind, time-based blind, or error-based techniques, enabling attackers to extract sensitive database information, potentially exposing confidential patient records and financial data.

Affected Systems

The vulnerability affects Softwebinternational’s Clinic Pro product. No specific version numbers are listed in the CNA data, so all deployments that have not applied a vendor patch are considered vulnerable.

Risk and Exploitability

The CVSS score of 7.1 places the issue in the high severity range, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attack requires authenticated access, meaning an attacker must first compromise or log into the system, reducing exposure compared to community‑level vulnerabilities.

Generated by OpenCVE AI on March 18, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest software update or patch from Softwebinternational that addresses the SQL injection vulnerability in Clinic Pro.
  • Restrict authenticated access to the monthly_expense_overview endpoint to only authorized administrative roles.
  • Implement input validation or rewrite the query using parameterized statements to eliminate injection points.
  • Monitor application logs for suspicious POST requests containing abnormal month parameter values.

Generated by OpenCVE AI on March 18, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Softwebinternational
Softwebinternational clinic Pro
Vendors & Products Softwebinternational
Softwebinternational clinic Pro

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Clinic Pro contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the month parameter. Attackers can send POST requests to the monthly_expense_overview endpoint with crafted month values using boolean-based blind, time-based blind, or error-based SQL injection techniques to extract sensitive database information.
Title Clinic Pro SQL Injection via monthly_expense_overview month Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Softwebinternational Clinic Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-14T03:38:47.321Z

Reserved: 2026-02-23T12:12:25.226Z

Link: CVE-2019-25473

cve-icon Vulnrichment

Updated: 2026-03-14T03:38:38.030Z

cve-icon NVD

Status : Deferred

Published: 2026-03-12T16:16:01.850

Modified: 2026-04-15T14:56:45.970

Link: CVE-2019-25473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:37Z

Weaknesses