CVE-2020-28401 is an improper authorization vulnerability identified in Star Practice Management Web version 2019.2.0.6. This vulnerability allows an unauthorized user to access Work In Progress (WIP) details about jobs that they should not have permission to view. The flaw lies in the application's access control mechanisms, which fail to properly restrict data visibility based on user privileges. Specifically, users with limited privileges (low privilege) can access sensitive information without proper authorization, leading to a breach of confidentiality. The vulnerability does not require user interaction and can be exploited remotely over the network without authentication, which increases its risk profile. The CVSS v3.1 base score is 6.5 (medium severity), reflecting the high impact on confidentiality but no impact on integrity or availability. The scope is unchanged, meaning the vulnerability affects only the vulnerable component and does not propagate to other components. There are no known public exploits in the wild, and no patches or vendor advisories are currently linked, indicating that organizations using this software may remain exposed if they have not implemented custom mitigations or updates. The vulnerability was published on January 29, 2021, and is assigned by MITRE. The lack of vendor or product details beyond the application name limits the ability to correlate with specific deployment environments, but the affected version is clearly identified as 2019.2.0.6 of Star Practice Management Web.

For European organizations using Star Practice Management Web 2019.2.0.6, this vulnerability poses a significant risk to the confidentiality of sensitive operational data related to job workflows. Unauthorized access to WIP details could lead to exposure of proprietary business information, client data, or internal project statuses, potentially resulting in competitive disadvantage, reputational damage, or regulatory non-compliance (e.g., GDPR if personal data is involved). Since the vulnerability allows remote exploitation without authentication or user interaction, attackers could leverage this flaw to conduct reconnaissance or data exfiltration stealthily. Healthcare providers, legal firms, or other professional services using this software for practice management may be particularly impacted due to the sensitive nature of their data. The absence of integrity or availability impact means the threat is primarily data exposure rather than disruption or data manipulation. However, the breach of confidentiality alone can have serious consequences under European data protection laws, including fines and mandatory breach notifications.

Organizations should immediately assess their use of Star Practice Management Web version 2019.2.0.6 and prioritize upgrading to a patched or newer version if available. In the absence of official patches, implement strict network segmentation and access controls to limit exposure of the application to trusted internal networks only. Employ web application firewalls (WAFs) with custom rules to detect and block unauthorized access attempts targeting WIP data endpoints. Conduct thorough access control reviews and audits within the application to ensure user roles and permissions are correctly enforced. Monitor logs for unusual access patterns or attempts to retrieve unauthorized job details. Additionally, consider implementing multi-factor authentication (MFA) for all users to reduce risk from compromised credentials, even though this vulnerability does not require authentication. Regularly update and patch all related infrastructure components and maintain an incident response plan tailored to data confidentiality breaches. Engage with the software vendor or community to obtain updates or workarounds and report any suspicious activity promptly.