Missing authorization checks on an imaging endpoint in synedra WebPatient / synedra Web allowed access to medical imaging metadata from patients
Swiss Health Sector
NTCF:
NTCF-2024-40089
Product:
synedra WebPatient / Web
Vendor:
synedra IT GmbH
Criticality:
high
Status:
fixed
Discovered:
2024-12-23
Detail:
Public
Vulnerable version:
synedraWeb: <=22.0.0.14, <=23.0.0.7, <=24.0.0.6 synedraWebPatient: <=22.0.0.9, <=23.0.0.6, <=24.0.0.7
Fixed version:
synedraWeb: 22.0.0.15, 23.0.0.8, 24.0.0.7 synedraWebPatient: 22.0.0.10, 23.0.0.7, 24.0.0.8
Description
In accordance with NTC Vulnerability Disclosure Policy, no technical details about this vulnerability will be publicly disclosed. Further details may be provided on a case by case basis.
Please use the contact form and provide an explanation for your request.
Synedra published details about the security vulnerability in synedra Security Advisory synSA-153011. Affected customers can request these details directly from synedra.
Timeline
2024-12-23: initial discovery
2024-12-31: vendor fix based on an overlapping report from another security researcher
2025-01-15: first contact to vendor
2025-01-15: private disclosure to vendor
2025-05-21: public disclosure