CVE-2018-5438

EPSS 0.33%
Published 20.03.2018 17:29:00
Last modified 21.11.2024 04:08:48
Source ics-cert@hq.dhs.gov
Teams watchlist Login
Open Login

Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Philips ≫ Intellispace Cardiovascular Version <= 2.3.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.33%	0.525

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.3	1	5.2	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	3.3	3.4	4.9	AV:L/AC:M/Au:N/C:P/I:P/A:N

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://www.usa.philips.com/healthcare/about/customer-support/product-security

Vendor Advisory

Mitigation

http://www.securityfocus.com/bid/102847

Third Party Advisory

VDB Entry

https://ics-cert.us-cert.gov/advisories/ICSMA-18-025-01

Third Party Advisory

US Government Resource

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2018-5438

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-5438

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-5438

EUVD