CVE-2025-35031 is a security vulnerability identified in Medical Informatics Engineering's Enterprise Health software, specifically affecting versions RC202403, RC202409, and RC202503. The vulnerability arises from the inclusion of the user's current session token within debug output messages. This debug information, intended for troubleshooting, inadvertently exposes sensitive session tokens. An attacker could exploit this by tricking a legitimate user into sharing these debug messages, thereby gaining access to the user's session token. With this token, the attacker can impersonate the user within the Enterprise Health system, potentially accessing sensitive medical data or performing unauthorized actions. The vulnerability is classified under CWE-1295, which relates to debug messages revealing unnecessary information. The issue was addressed and fixed as of April 8, 2025. The CVSS v3.1 base score is 3.3, indicating a low severity level, primarily because exploitation requires local access (AV:L), no privileges (PR:N), but user interaction (UI:R) is necessary, and the impact is limited to confidentiality with no impact on integrity or availability.

For European organizations, particularly healthcare providers and institutions using Medical Informatics Engineering's Enterprise Health platform, this vulnerability poses a risk to patient data confidentiality. If an attacker successfully convinces a user to share debug output containing session tokens, unauthorized access to sensitive health records could occur, potentially violating GDPR and other data protection regulations. Although the vulnerability requires user interaction and local access, the sensitive nature of healthcare data amplifies the potential damage. Unauthorized session hijacking could lead to data breaches, loss of patient trust, and regulatory penalties. However, the lack of integrity or availability impact and the low CVSS score suggest that the threat is limited in scope and exploitability, reducing the overall risk compared to more severe vulnerabilities.

Organizations should ensure that all debug logging in Enterprise Health is disabled or properly sanitized in production environments to prevent exposure of sensitive session tokens. Specifically, administrators should update affected versions to the patched release dated April 8, 2025, or later. User training is critical to raise awareness about the risks of sharing debug output or any system-generated logs with untrusted parties. Implementing strict access controls and monitoring for unusual session activities can help detect potential misuse of session tokens. Additionally, enforcing short session lifetimes and multi-factor authentication can reduce the window of opportunity for attackers exploiting stolen tokens. Regular security audits and vulnerability scanning should include checks for debug information leakage.