Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for CGM NETRAAD by CGM

    CVE-2025-10350 (GCVE-0-2025-10350)

    Vulnerability from nvd – Published: 2026-03-02 11:09 – Updated: 2026-03-02 13:23
    VLAI
    Title
    SQL injection in CGM NETRAAD
    Summary
    SQL Injection vulnerability in "imageserver" module when processing C-FIND queries in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including data processed by GCM CLININET software.This issue affects CGM NETRAAD with imageserver module in versions before 7.9.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    CGM CGM NETRAAD Affected: 0 , < 7.9.0 (custom)
    Create a notification for this product.
    Credits
    Maciej Kazulak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-10350",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-02T13:23:19.342851Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-02T13:23:30.175Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "imageserver"
              ],
              "product": "CGM NETRAAD",
              "vendor": "CGM",
              "versions": [
                {
                  "lessThan": "7.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Maciej Kazulak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "SQL Injection vulnerability in \"imageserver\" module when processing C-FIND queries\u0026nbsp;in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edata processed by\u003c/span\u003e GCM CLININET software.\u003cp\u003eThis issue affects CGM NETRAAD with imageserver module in versions before 7.9.0.\u003c/p\u003e"
                }
              ],
              "value": "SQL Injection vulnerability in \"imageserver\" module when processing C-FIND queries\u00a0in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including\u00a0data processed by GCM CLININET software.This issue affects CGM NETRAAD with imageserver module in versions before 7.9.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "ADJACENT",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-02T11:09:37.785Z",
            "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
            "shortName": "CERT-PL"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://cert.pl/en/posts/2026/03/CVE-2025-10350/"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.cgm.com/pol_pl/products/szpital/cgm-netraad.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "SQL injection in\u00a0CGM NETRAAD",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "assignerShortName": "CERT-PL",
        "cveId": "CVE-2025-10350",
        "datePublished": "2026-03-02T11:09:37.785Z",
        "dateReserved": "2025-09-12T10:33:47.576Z",
        "dateUpdated": "2026-03-02T13:23:30.175Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-10350 (GCVE-0-2025-10350)

    Vulnerability from cvelistv5 – Published: 2026-03-02 11:09 – Updated: 2026-03-02 13:23
    VLAI
    Title
    SQL injection in CGM NETRAAD
    Summary
    SQL Injection vulnerability in "imageserver" module when processing C-FIND queries in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including data processed by GCM CLININET software.This issue affects CGM NETRAAD with imageserver module in versions before 7.9.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    CGM CGM NETRAAD Affected: 0 , < 7.9.0 (custom)
    Create a notification for this product.
    Credits
    Maciej Kazulak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-10350",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-02T13:23:19.342851Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-02T13:23:30.175Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "imageserver"
              ],
              "product": "CGM NETRAAD",
              "vendor": "CGM",
              "versions": [
                {
                  "lessThan": "7.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Maciej Kazulak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "SQL Injection vulnerability in \"imageserver\" module when processing C-FIND queries\u0026nbsp;in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edata processed by\u003c/span\u003e GCM CLININET software.\u003cp\u003eThis issue affects CGM NETRAAD with imageserver module in versions before 7.9.0.\u003c/p\u003e"
                }
              ],
              "value": "SQL Injection vulnerability in \"imageserver\" module when processing C-FIND queries\u00a0in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including\u00a0data processed by GCM CLININET software.This issue affects CGM NETRAAD with imageserver module in versions before 7.9.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "ADJACENT",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-02T11:09:37.785Z",
            "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
            "shortName": "CERT-PL"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://cert.pl/en/posts/2026/03/CVE-2025-10350/"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.cgm.com/pol_pl/products/szpital/cgm-netraad.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "SQL injection in\u00a0CGM NETRAAD",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "assignerShortName": "CERT-PL",
        "cveId": "CVE-2025-10350",
        "datePublished": "2026-03-02T11:09:37.785Z",
        "dateReserved": "2025-09-12T10:33:47.576Z",
        "dateUpdated": "2026-03-02T13:23:30.175Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }