| Title | medkey-org medkey v 1.0.0 Insecure Direct Object Reference (IDOR) /Improper Access Control |
|---|
| Description | An issue was discovered in medkey-org medkey open-source Hospital Information System version 1.0.0. The REST API component handles patient data retrieval insecurely within the file 'modules/medical/port/rest/controllers/PatientController.php'.
Specifically, the method 'actionGetPatientById($id)' loads and extracts database records based entirely on the user-supplied '$id' GET parameter without implementing any server-side validation, ownership correlation, or session token verification rules. Because the base parent controller 'app\common\rest\ActiveController' also lacks global row-level or object-level access wrappers, an authenticated low-privilege attacker (such as a generic hospital staff account or another patient) can manually manipulate the 'id' parameter in HTTP REST requests.
By horizontally shifting the identifier ranges (e.g., changing id=1 to id=2 or id=3), an attacker can successfully escalate privileges and exfiltrate highly sensitive data structures, including full names, medical treatment histories (Protected Health Information - PHI), and active medical insurance policy details of any registered patient in the enterprise infrastructure. |
|---|
| Source | ⚠️ https://github.com/onyxglitch/Medkey-EHR-IDOR-PoC |
|---|
| User | onyxglitch (UID 98334) |
|---|
| Submission | 05/17/2026 10:49 (29 days ago) |
|---|
| Moderation | 06/14/2026 14:22 (28 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370849 [medkey-org medkey up to fc09b7ba9441ff590b72d428d5380834216b09ed HTTP REST API PatientController.php actionGetPatientById ID resource injection] |
|---|
| Points | 20 |
|---|