Description
Medical Management System a81df1ce700a9662cb136b27af47f4cbde64156b is vulnerable to Insecure Permissions, which allows arbitrary user password reset.
Published: 2026-05-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Medical Management System permits an attacker to reset any user account password due to improper permission checks. The vulnerability enables unauthorized credential modification, effectively bypassing authentication controls and allowing account takeover. This weakness is classed as improper privilege management, commonly identified as CWE-284.

Affected Systems

The affected product is the Medical Management System referenced by the identifier a81df1ce700a9662cb136b27af47f4cbde64156b. No specific vendor, product name, or version information is provided in the available data, so it is unclear which builds or deployments are impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV, but the potential for critical impact is clear: an attacker who can trigger password resets can immediately assume control of any user account. The likely attack vector is via the password reset interface or API, which I infer is exposed over the network or through an application layer. Since the vulnerability hinges on insecure permissions rather than an external exploit code, it is presumed easier to exploit than code‑execution flaws, though the exact exploitation likelihood remains undetermined.

Generated by OpenCVE AI on May 15, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Revise the password reset logic to enforce that only users with administrator or privileged roles can perform a reset.
  • Add authentication checks and role verification before processing any password reset request.
  • Enable detailed logging for all password reset events and set up alerts for unusual activity.
  • Review and tighten access control configurations in the configuration files or database to prevent unauthorized write access to reset functions.

Generated by OpenCVE AI on May 15, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Arbitrary User Password Reset via Insecure Permissions in Medical Management System

Fri, 15 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Insecure Permissions Allowing Arbitrary User Password Reset in Medical Management System
Weaknesses CWE-269

Fri, 15 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Fri, 15 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Insecure Permissions Allowing Arbitrary User Password Reset in Medical Management System
Weaknesses CWE-269

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Medical Management System a81df1ce700a9662cb136b27af47f4cbde64156b is vulnerable to Insecure Permissions, which allows arbitrary user password reset.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-15T17:53:32.530Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-67437

cve-icon Vulnrichment

Updated: 2026-05-15T17:53:28.171Z

cve-icon NVD

Status : Received

Published: 2026-05-15T15:16:49.883

Modified: 2026-05-15T19:16:57.030

Link: CVE-2025-67437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T22:30:06Z

Weaknesses