Multiple vulnerabilities in Philips Clinical Collaboration Platform



Published: 2020-09-21
Risk Low
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2020-14506
CVE-2020-14525
CVE-2020-16198
CVE-2020-16247
CWE-ID CWE-352
CWE-79
CWE-693
CWE-16
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe
Clinical Collaboration Platform
Hardware solutions / Medical equipment

Vendor Philips

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Cross-site request forgery

EUVDB-ID: #VU46826

Risk: Low

CVSSv3.1: 4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14506

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a local user to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A local user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Clinical Collaboration Platform: 12.2.1

External links

http://us-cert.cisa.gov/ics/advisories/icsma-20-261-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cross-site scripting

EUVDB-ID: #VU46827

Risk: Low

CVSSv3.1: 4.2 [CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14525

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker on the local network can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Clinical Collaboration Platform: 12.2.1

External links

http://us-cert.cisa.gov/ics/advisories/icsma-20-261-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Protection Mechanism Failure

EUVDB-ID: #VU46828

Risk: Low

CVSSv3.1: 4.4 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-16198

CWE-ID: CWE-693 - Protection Mechanism Failure

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the affected software does not prove or insufficiently proves the claim of given identity is correct. A remote attacker on the local network can bypass implemented security restrictions and elevate privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Clinical Collaboration Platform: 12.2.1

External links

http://us-cert.cisa.gov/ics/advisories/icsma-20-261-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Configuration

EUVDB-ID: #VU46830

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-16247

CWE-ID: CWE-16 - Configuration

Exploit availability: No

Description

The vulnerability allows a local attacker to compromise the target system.

The vulnerability exixts due to the affected product exposes a resource to the wrong control sphere. A local attacker can gain access to the resource.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Clinical Collaboration Platform: 12.2.1

External links

http://us-cert.cisa.gov/ics/advisories/icsma-20-261-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###