CVE-2024-12917

CVE-2024-12917 is a Files or Directories Accessible to External Parties vulnerability (CWE-552) in Agito Computer Health4All software. It enables exploitation of incorrectly configured access control security levels and authentication abuse, affecting Health4All versions prior to 10.01.2025. The vulnerability has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to network accessibility, low complexity, and significant impacts on confidentiality and integrity.

An attacker with low privileges (PR:L) can exploit this vulnerability over the network without user interaction. Successful exploitation allows external access to sensitive files or directories, potentially leading to high confidentiality loss through data exposure, high integrity compromise via unauthorized modifications, and low availability disruption.

The USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0042 provides details on this issue. Mitigation involves upgrading Health4All to version 10.01.2025 or later, as the vulnerability affects only prior releases. Security practitioners should review access controls and authentication mechanisms in affected environments.