CVE-2020-28406 is an improper authorization vulnerability identified in the Star Practice Management Web application, specifically in version 2019.2.0.6. This vulnerability allows an unauthorized user to access sensitive information related to jobs through the Audit Trail feature, which should normally be restricted. The flaw stems from insufficient access control mechanisms that fail to properly verify user permissions before granting access to job details. According to the CVSS 3.1 vector, the attack complexity is low (AC:L), no user interaction is required (UI:N), and the attack can be performed remotely without authentication (AV:N, PR:L), indicating that an attacker with limited privileges can exploit this vulnerability over the network. The impact is primarily on confidentiality (C:H), as unauthorized users can view sensitive job-related data, but there is no impact on integrity or availability. The vulnerability was published on January 29, 2021, and no known exploits have been reported in the wild to date. The lack of vendor or product-specific information beyond the application name and version limits the granularity of the analysis, but the vulnerability clearly represents a medium-severity risk due to the exposure of sensitive information to unauthorized parties.

For European organizations using Star Practice Management Web 2019.2.0.6, this vulnerability could lead to unauthorized disclosure of sensitive job-related information, potentially including client data, internal workflows, or audit logs. This exposure could result in privacy violations, regulatory non-compliance (e.g., GDPR), and reputational damage. Since the vulnerability allows unauthorized access without user interaction and requires only low privileges, it increases the risk of insider threats or external attackers exploiting compromised accounts to escalate data exposure. The confidentiality breach could facilitate further targeted attacks or social engineering campaigns. While the vulnerability does not affect system integrity or availability, the leakage of sensitive information can have significant operational and legal consequences for healthcare or professional service providers relying on this software in Europe.

Organizations should immediately verify if they are running Star Practice Management Web version 2019.2.0.6 and restrict access to the Audit Trail feature to only trusted and authorized personnel. Implement strict role-based access control (RBAC) policies and audit user permissions regularly to ensure no unauthorized accounts have access to sensitive job details. Network segmentation and application-layer firewalls can help limit exposure of the management web interface to trusted networks or VPN users only. Monitoring and logging access to the Audit Trail feature should be enhanced to detect anomalous or unauthorized access attempts. If a patch or update is available from the vendor, it should be applied promptly. In the absence of an official patch, consider disabling or restricting the Audit Trail feature until a fix is released. Additionally, conduct user awareness training to mitigate risks from compromised credentials and enforce strong authentication mechanisms, such as multi-factor authentication (MFA), to reduce the likelihood of unauthorized access.