CVE-2020-28404 is an improper authorization vulnerability identified in Star Practice Management Web version 2019.2.0.6. This vulnerability allows an unauthorized user to access the Billing page of the application without possessing the necessary privileges. The flaw stems from insufficient access control mechanisms within the web application, permitting users with limited privileges or no authentication to view sensitive billing information. The vulnerability has a CVSS v3.1 base score of 6.5, indicating a medium severity level. The vector string (CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:L/S:U/UI:N) reveals that the attack requires low attack complexity, can be executed remotely over the network without user interaction, and requires low privileges but no authentication is needed. The impact primarily affects confidentiality, as unauthorized users can access sensitive billing data, but integrity and availability are not impacted. There are no known exploits in the wild, and no patches or vendor advisories have been linked to this vulnerability. The lack of vendor and product information beyond the application name limits detailed technical analysis, but the vulnerability clearly exposes sensitive financial data to unauthorized access, which could lead to privacy violations, data leakage, and potential compliance issues.

For European organizations using Star Practice Management Web 2019.2.0.6, this vulnerability poses a significant risk to the confidentiality of billing and financial data. Unauthorized access to billing information can lead to exposure of sensitive client financial details, potentially violating GDPR and other data protection regulations prevalent in Europe. This could result in legal penalties, reputational damage, and loss of client trust. Healthcare and professional service providers relying on this software are particularly at risk, as billing data often contains personally identifiable information (PII) and financial records. The unauthorized disclosure could also facilitate further targeted attacks or fraud attempts. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone is critical in regulated environments. The absence of known exploits reduces immediate risk, but the ease of exploitation and lack of required user interaction mean attackers could leverage this vulnerability opportunistically if discovered.

European organizations should immediately assess their use of Star Practice Management Web 2019.2.0.6 and restrict access to the application to trusted internal networks only, implementing network segmentation and firewall rules to limit exposure. Since no patches are currently linked, organizations should implement compensating controls such as enhanced authentication and authorization checks at the web server or application gateway level, including web application firewalls (WAFs) configured to detect and block unauthorized access attempts to billing pages. Regularly audit user permissions and monitor access logs for anomalous activity related to billing page access. If possible, disable or restrict the billing page functionality temporarily until a vendor patch or update is available. Additionally, organizations should engage with the software vendor to obtain updates or patches and apply them promptly once released. Conducting security awareness training for administrators and users about the risks of unauthorized access and maintaining up-to-date incident response plans will further reduce risk.