Description
This vulnerability exists in e-Sushrut due to the use of reversible Base64 encoding for protecting sensitive data. An authenticated attacker could exploit this vulnerability by decoding and manipulating Base64-encoded parameters in the request URL to gain unauthorized access to sensitive information on the targeted system.
Published: 2026-04-29
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the use of reversible Base64 encoding to protect sensitive data in e-Sushrut HMIS. An attacker with valid credentials can decode, modify, and re‑encode Base64 parameters in request URLs, allowing tampering and unauthorized disclosure of protected information. This flaw permits an authenticated user to bypass normal authorization controls and access or view data that should remain confidential.

Affected Systems

The issue affects the CDAC‑Noida e‑Sushrut Hospital Management Information System (HMIS). All earlier releases listed as previous_versions in the CPE are susceptible; the latest vetted release is not known to be affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS is not listed, suggesting current exploitation likelihood is unknown; the vulnerability is not catalogued in CISA’s KEV. The likely attack vector is remote over HTTP, requiring the attacker to first authenticate to the system and then craft manipulated request URLs to extract or modify sensitive data. Once exploited, the attacker can read or alter confidential information, compromising data confidentiality and integrity.

Generated by OpenCVE AI on April 29, 2026 at 09:51 UTC.

Remediation

Vendor Solution

Contact C-DAC for upgrading e-Sushrut HMIS to latest version

OpenCVE Recommended Actions

  • Contact C‑DAC and upgrade e‑Sushrut HMIS to the latest patched release that removes reversible Base64 encoding of sensitive data.
  • Replace any remaining Base64‑encoded parameters with secure encryption (e.g., AES) or remove sensitive data from URLs entirely, ensuring that only non‑critical information is exposed.
  • Enforce strict access control checks that validate user permissions before allowing any request to access or modify sensitive data, and implement input validation to reject tampered URL parameters.
  • Conduct a security review of all exposed endpoints to confirm that no other reversible encoding or similar weaknesses remain.

Generated by OpenCVE AI on April 29, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description This vulnerability exists in e-Sushrut due to the use of reversible Base64 encoding for protecting sensitive data. An authenticated attacker could exploit this vulnerability by decoding and manipulating Base64-encoded parameters in the request URL to gain unauthorized access to sensitive information on the targeted system.
Title Cryptographic Failure Vulnerability in e-Sushrut HMIS
First Time appeared Cdac-noida
Cdac-noida e-sushrut Hospital Management Information System Hmis
Weaknesses CWE-639
CPEs cpe:2.3:a:cdac-noida:e-sushrut_hospital_management_information_system_hmis_:previous_versions:*:*:*:*:*:*:*
Vendors & Products Cdac-noida
Cdac-noida e-sushrut Hospital Management Information System Hmis
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cdac-noida E-sushrut Hospital Management Information System Hmis
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-In

Published:

Updated: 2026-04-29T08:30:09.583Z

Reserved: 2026-04-28T08:14:36.620Z

Link: CVE-2026-42517

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-29T09:16:24.923

Modified: 2026-04-29T09:16:24.923

Link: CVE-2026-42517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:30:09Z

Weaknesses