Risk | Low |
Patch available | YES |
Number of vulnerabilities | 4 |
CVE-ID | CVE-2020-14506 CVE-2020-14525 CVE-2020-16198 CVE-2020-16247 |
CWE-ID | CWE-352 CWE-79 CWE-693 CWE-16 |
Exploitation vector | Local network |
Public exploit | N/A |
Vulnerable software Subscribe |
Clinical Collaboration Platform Hardware solutions / Medical equipment |
Vendor | Philips |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
EUVDB-ID: #VU46826
Risk: Low
CVSSv3.1: 4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-14506
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A local user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsClinical Collaboration Platform: 12.2.1
External linkshttp://us-cert.cisa.gov/ics/advisories/icsma-20-261-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU46827
Risk: Low
CVSSv3.1: 4.2 [CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-14525
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker on the local network can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsClinical Collaboration Platform: 12.2.1
External linkshttp://us-cert.cisa.gov/ics/advisories/icsma-20-261-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU46828
Risk: Low
CVSSv3.1: 4.4 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-16198
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the affected software does not prove or insufficiently proves the claim of given identity is correct. A remote attacker on the local network can bypass implemented security restrictions and elevate privileges on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsClinical Collaboration Platform: 12.2.1
External linkshttp://us-cert.cisa.gov/ics/advisories/icsma-20-261-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU46830
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-16247
CWE-ID:
CWE-16 - Configuration
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise the target system.
The vulnerability exixts due to the affected product exposes a resource to the wrong control sphere. A local attacker can gain access to the resource.
MitigationInstall updates from vendor's website.
Vulnerable software versionsClinical Collaboration Platform: 12.2.1
External linkshttp://us-cert.cisa.gov/ics/advisories/icsma-20-261-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.