Headline
CVE-2023-0967: GitHub - IMA-WorldHealth/bhima: A hospital information management application for rural Congolese hospitals
Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform.
BHIMA
BHIMA is a free, open source accounting and hospital information management system (HIMS) tailored for rural hospitals in Africa. We are an international team based in the Democratic Republic of the Congo.
BHIMA is an acronym for basic hospital information management application.
Project Goals
BHIMA aims to provide a flexible and robust accounting and managerial solution for rural hospitals. This includes, but is not limited to, basic income/expense reporting, budgeting, patient and organisational billing, depreciation, inventory and pricing, and purchasing.
Additionally, BHIMA bundles reports and optional reporting plugins to aid hospital administrators, aid organisations, and governmental/non-governmental agencies access up to date utilization data. It targets insitutions that must conform to the OHADA reporting standards in western and central Africa.
Finally, the entire project is designed to scale from a single, low cost device in a clinic, to a large multi-hundred bed institution with tens of users accessing the server simultaneously.
Technology
The client-side is written in AngularJS and the server in NodeJS. Session management is enabled by Redis, and the backend is a MySQL database.
Contributing
All contributions are welcome! If you want to get started hacking on BHIMA, the developer wiki contains notes on our designs and testing infrastructure. We also have a dedicated documentation website https://docs.bhi.ma. If you have any questions or need help getting started, please open an issue - chances are you are not the only one!
If you just want to jump into to messing with the software, check out Getting Up And Running.
If you are new to Github, they have an excellent guide.
Installation
See the installation guide.
License
BHIMA is licensed under GPL-2.0. Read the License.