Asseco InfoMedica Plus up to 4.50.0/5.37.x password recoverable

Summaryinfo

A vulnerability described as problematic has been identified in Asseco InfoMedica Plus up to 4.50.0/5.37.x. Impacted is an unknown function. Executing a manipulation can lead to password recoverable. The identification of this vulnerability is CVE-2025-8307. The attack can only be executed locally. There is no exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability has been found in Asseco InfoMedica Plus up to 4.50.0/5.37.x and classified as problematic. This vulnerability affects an unknown code block. The manipulation with an unknown input leads to a password recoverable vulnerability. The CWE definition for the vulnerability is CWE-257. The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. As an impact it is known to affect confidentiality. CVE summarizes:

Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. Passwords of all users are stored in a database in an encoded format. An attacker in possession of these encoded passwords is able to decode them by using an algorithm embedded in the client-side part of the software.  This vulnerability has been fixed in versions 4.50.1 and 5.38.0

The weakness was shared by Maciej Kazulak. The advisory is available at cert.pl. This vulnerability was named CVE-2025-8307 since 07/29/2025. The exploitation appears to be difficult. Local access is required to approach this attack. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1552 by the MITRE ATT&CK project.

Upgrading to version 4.50.1 or 5.38.0 eliminates this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Vendor

• Asseco

Name

• InfoMedica Plus

Version

• 4.0
• 4.1
• 4.2
• 4.3
• 4.4
• 4.5
• 4.6
• 4.7
• 4.8
• 4.9
• 4.10
• 4.11
• 4.12
• 4.13
• 4.14
• 4.15
• 4.16
• 4.17
• 4.18
• 4.19
• 4.20
• 4.21
• 4.22
• 4.23
• 4.24
• 4.25
• 4.26
• 4.27
• 4.28
• 4.29
• 4.30
• 4.31
• 4.32
• 4.33
• 4.34
• 4.35
• 4.36
• 4.37
• 4.38
• 4.39
• 4.40
• 4.41
• 4.42
• 4.43
• 4.44
• 4.45
• 4.46
• 4.47
• 4.48
• 4.49
• 4.50.0
• 5.0
• 5.1
• 5.2
• 5.3
• 5.4
• 5.5
• 5.6
• 5.7
• 5.8
• 5.9
• 5.10
• 5.11
• 5.12
• 5.13
• 5.14
• 5.15
• 5.16
• 5.17
• 5.18
• 5.19
• 5.20
• 5.21
• 5.22
• 5.23
• 5.24
• 5.25
• 5.26
• 5.27
• 5.28
• 5.29
• 5.30
• 5.31
• 5.32
• 5.33
• 5.34
• 5.35
• 5.36
• 5.37

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion