Description
This vulnerability exists in e-Sushrut due to exposure of OTPs in plaintext within API responses. A remote attacker could exploit this vulnerability by intercepting API responses containing valid OTPs.

Successful exploitation of this vulnerability could allow an attacker to impersonate the target user and gain unauthorized access to user accounts on the targeted system.
Published: 2026-04-29
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in e‑Sushrut’s API responses, where one‑time passwords are exposed in plaintext. An attacker who can observe these responses can capture valid OTPs, use them to impersonate the corresponding user, and gain unauthorized access to the victim’s account. This flaw falls under CWE‑319, Plaintext storage of sensitive information.

Affected Systems

The affected product is CDAC Noida e‑Sushrut Hospital Management Information System (HMIS). All previous versions of the system are potentially impacted; no specific sub‑version details are available.

Risk and Exploitability

With a CVSS score of 8.8, this issue is considered high severity. The EPSS value is unavailable, and it is not listed in the CISA KEV catalog. The attack vector is inferred to be remote network interception of API traffic; an attacker with network access between the client and server can capture the plaintext OTPs. No additional authentication or privileges are required beyond normal network connectivity, making exploitation relatively straightforward for a determined adversary.

Generated by OpenCVE AI on April 29, 2026 at 09:20 UTC.

Remediation

Vendor Solution

Contact C-DAC for upgrading e-Sushrut HMIS to latest version

OpenCVE Recommended Actions

  • Upgrade e‑Sushrut HMIS to the latest version to eliminate OTP exposure.
  • Ensure all API endpoints use TLS so that even if traffic is captured, OTPs remain encrypted.
  • Restrict network access to API services and monitor responses for accidental disclosure of sensitive data.

Generated by OpenCVE AI on April 29, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description This vulnerability exists in e-Sushrut due to exposure of OTPs in plaintext within API responses. A remote attacker could exploit this vulnerability by intercepting API responses containing valid OTPs. Successful exploitation of this vulnerability could allow an attacker to impersonate the target user and gain unauthorized access to user accounts on the targeted system.
Title Sensitive Data Exposure Vulnerability in e-Sushrut HMIS
First Time appeared Cdac-noida
Cdac-noida e-sushrut Hospital Management Information System Hmis
Weaknesses CWE-319
CPEs cpe:2.3:a:cdac-noida:e-sushrut_hospital_management_information_system_hmis_:previous_versions:*:*:*:*:*:*:*
Vendors & Products Cdac-noida
Cdac-noida e-sushrut Hospital Management Information System Hmis
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cdac-noida E-sushrut Hospital Management Information System Hmis
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-In

Published:

Updated: 2026-04-29T08:17:12.372Z

Reserved: 2026-04-28T08:14:36.620Z

Link: CVE-2026-42514

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-29T09:16:24.553

Modified: 2026-04-29T09:16:24.553

Link: CVE-2026-42514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:00:09Z

Weaknesses