CVE-2025-30037— Missing authentication in APIs allowing data retrieval and modification

EPSS 0.03% · P8 Updated Aug 28, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-30037

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Missing authentication in APIs allowing data retrieval and modification

Source: NVD (National Vulnerability Database)

Vulnerability Description

The system exposes several endpoints, typically including "/int/" in their path, that should be restricted to internal services, but are instead publicly accessible without authentication to any host able to reach the application server on port 443/tcp.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

关键功能的认证机制缺失

Source: NVD (National Vulnerability Database)

Vulnerability Title

CGM CLININET 访问控制错误漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

CGM CLININET是德国CGM公司的一款医院信息管理系统。 CGM CLININET存在访问控制错误漏洞，该漏洞源于内部端点未经验证可公开访问。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
CGM	CGM CLININET	0 ~ 2025.MS2	-

II. Public POCs for CVE-2025-30037

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-30037

请登录查看更多情报信息。

Same Patch Batch · CGM · 2025-08-27 · 17 CVEs total

CVE-2025-2313		RCE via Print.pl in uhcPrintServerPrint
CVE-2025-30061		SQL injection in utils/Reporter/OpenReportWindow.pl via the UserID parameter
CVE-2025-30039		Missing authentication in API returning a list of all active sessions
CVE-2025-30064		Possibility to generate a session for any user via the "ex:action" parameter after obtaini
CVE-2025-30040		Missing authentication in API returning request logs containing session IDs
CVE-2025-30063		Excessive permissions on configuration files containing database logins and passwords
CVE-2025-30036		Stored XSS permitting session takeover of arbitrary user
CVE-2025-30056		Calling system commands via RunCommand
CVE-2025-30058		SQL injection in getPatientIdentifier function of PatientService.pl
CVE-2025-30060		SQL injection in ReturnUserUnitsXML.pl via the UserID parameter
CVE-2025-30048		Unauthenticated access to module configuration endpoint
CVE-2025-30038		Session ID leakage in Zone.Identifier of downloaded files
CVE-2025-30057		Authenticated RCE with uhcapache privileges in ConvertToPDF
CVE-2025-30059		Authenticated SQL injection in PrepareCDExportJSON.pl
CVE-2025-30041		Missing authentication in APIs returning statistical data along with session IDs
CVE-2025-30055		Conditional RCE via the "system" function

IV. Related Vulnerabilities

Same product: CGM CLININET

Same vendor: CGM

Same weakness: CWE-306

V. Comments for CVE-2025-30037

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-30037— Missing authentication in APIs allowing data retrieval and modification

I. Basic Information for CVE-2025-30037

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-30037

III. Intelligence Information for CVE-2025-30037

Same Patch Batch · CGM · 2025-08-27 · 17 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2025-30037

Leave a comment