This vulnerability in MphRx Minerva 3.6.0 involves an insecure direct object reference (IDOR) in the '/minerva/moUser/show/' endpoint. Authenticated users can manipulate the ID parameter to retrieve data belonging to other registered users, bypassing proper access controls. This flaw corresponds to CWE-284 (Improper Access Control) and can result in unauthorized access to sensitive user information. The vulnerability has a high CVSS 4.0 score of 8.5, reflecting its potential impact. No patch or official remediation level has been published by the vendor, and the product is not a cloud service, so remediation depends on vendor updates or user-side mitigations.

Successful exploitation allows an authenticated user to access data of other registered users by modifying the ID parameter, leading to unauthorized disclosure of user information and exposure of the user list. This compromises confidentiality of user data within the affected Minerva 3.6.0 installation. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided, users should monitor vendor communications for updates. In the meantime, restrict access to the affected endpoint to trusted users only and consider implementing additional access control checks at the application or network level to limit unauthorized data access.