CVE-2020-27298 (GCVE-0-2020-27298)

Vulnerability from cvelistv5 – Published: 2021-01-20 19:27 – Updated: 2025-06-04 19:46
VLAI?
Summary
Philips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an OS command using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when sent to a downstream component.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-78 - OS Command Injection
Assigner
References
Impacted products
Vendor Product Version
Philips Interventional Workspot Affected: Release 1.3.2
Affected: Release 1.4.0
Affected: Release 1.4.1
Affected: Release 1.4.3
Affected: Release 1.4.5
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:11:36.582Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Interventional Workspot",
          "vendor": "Philips",
          "versions": [
            {
              "status": "affected",
              "version": "Release 1.3.2"
            },
            {
              "status": "affected",
              "version": "Release 1.4.0"
            },
            {
              "status": "affected",
              "version": "Release 1.4.1"
            },
            {
              "status": "affected",
              "version": "Release 1.4.3"
            },
            {
              "status": "affected",
              "version": "Release 1.4.5"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live",
          "vendor": "Philips",
          "versions": [
            {
              "status": "affected",
              "version": "Release 1.0"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "ViewForum",
          "vendor": "Philips",
          "versions": [
            {
              "status": "affected",
              "version": "Release 6.3V1L10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ePhilips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an OS command using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when sent to a downstream component.\u003c/p\u003e"
            }
          ],
          "value": "Philips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an OS command using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when sent to a downstream component."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 OS Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T19:46:39.186Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-019-01"
        },
        {
          "url": "https://www.philips.com/a-w/security/security-advisories/product-security-2021.html#2021_archive"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ePhilips has released a software patch to proactively address this \nvulnerability in the installed base and will schedule service activities\n with impacted users to implement the correction. As a mitigation for \nthis vulnerability, users with expertise are advised to change the IPMI \npassword for the workstation interface.\u003c/p\u003e\n\u003cp\u003eUsers with questions regarding specific Philips Interventional \nWorkspot and/or installations and correction eligibility should contact a\n \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.usa.philips.com/healthcare/solutions/customer-service-solutions\"\u003ePhilips service support team, regional service support\u003c/a\u003e\u003c/p\u003e\u003cp\u003e, or call 1-800-722-9377 with reference to field change order (FCO) number 2019-IGTBST-014.\u003c/p\u003e\n\u003cp\u003ePlease see the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.philips.com/productsecurity\"\u003ePhilips product security website\u003c/a\u003e\u003c/p\u003e for the Philips advisory and the latest security information for Philips products.\n\n\u003cbr\u003e"
            }
          ],
          "value": "Philips has released a software patch to proactively address this \nvulnerability in the installed base and will schedule service activities\n with impacted users to implement the correction. As a mitigation for \nthis vulnerability, users with expertise are advised to change the IPMI \npassword for the workstation interface.\n\n\nUsers with questions regarding specific Philips Interventional \nWorkspot and/or installations and correction eligibility should contact a\n  Philips service support team, regional service support https://www.usa.philips.com/healthcare/solutions/customer-service-solutions \n\n, or call 1-800-722-9377 with reference to field change order (FCO) number 2019-IGTBST-014.\n\n\nPlease see the  Philips product security website https://www.philips.com/productsecurity \n\n for the Philips advisory and the latest security information for Philips products."
        }
      ],
      "source": {
        "advisory": "ICSMA-21-019-01",
        "discovery": "INTERNAL"
      },
      "title": "Philips Interventional Workstations OS Command Injection",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-27298",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Philips Interventional WorkSpot, Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live, ViewForum",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10)."
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Philips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an OS command using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when sent to a downstream component."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (\u0027OS COMMAND INJECTION\u0027) CWE-78"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01",
              "refsource": "MISC",
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2020-27298",
    "datePublished": "2021-01-20T19:27:22",
    "dateReserved": "2020-10-19T00:00:00",
    "dateUpdated": "2025-06-04T19:46:39.186Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:philips:coronary_tools:1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0266F404-C684-4B08-A137-2572146C8406\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:philips:dynamic_coronary_roadmap:1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5AD07C53-5BF9-4F49-9F36-F456232B78A2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:philips:interventional_workspot:1.3.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"67EF6C48-A46E-465A-AC66-836B58089A0C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:philips:interventional_workspot:1.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D997305F-1D4B-4F7C-94B2-FFB03189AD86\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:philips:interventional_workspot:1.4.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DD3D4DF4-D219-4DCD-B976-7695ABC711FF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:philips:interventional_workspot:1.4.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A0BDE433-D4FA-4B9C-9003-066573695740\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:philips:interventional_workspot:1.4.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F57F0899-5A6D-47E2-9CF2-3A4BE60CC0C4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:philips:stentboost_live:1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C376C250-4247-4E0E-987A-2C37445F500B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:philips:viewforum:6.3v1l10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E3B747A1-197A-4F85-8581-FBF0AB77662E\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Philips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an OS command using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when sent to a downstream component.\"}, {\"lang\": \"es\", \"value\": \"Philips Interventional Workspot (versi\\u00f3n 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (versi\\u00f3n 1.0), ViewForum (versi\\u00f3n 6.3V1L10).\u0026#xa0;El software construye todo o parte de un comando del Sistema Operativo usando una entrada influenciada externamente de un componente aguas arriba, pero no neutraliza o neutraliza incorrectamente elementos especiales que podr\\u00edan modificar el comando del Sistema Operativo deseado cuando se env\\u00eda a un componente aguas abajo\"}]",
      "id": "CVE-2020-27298",
      "lastModified": "2024-11-21T05:21:00.880",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:A/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 3.3, \"accessVector\": \"ADJACENT_NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.5, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-01-26T18:15:45.990",
      "references": "[{\"url\": \"https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-27298\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2021-01-26T18:15:45.990\",\"lastModified\":\"2025-06-04T20:15:21.807\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Philips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an OS command using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when sent to a downstream component.\"},{\"lang\":\"es\",\"value\":\"Philips Interventional Workspot (versi\u00f3n 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (versi\u00f3n 1.0), ViewForum (versi\u00f3n 6.3V1L10).\u0026#xa0;El software construye todo o parte de un comando del Sistema Operativo usando una entrada influenciada externamente de un componente aguas arriba, pero no neutraliza o neutraliza incorrectamente elementos especiales que podr\u00edan modificar el comando del Sistema Operativo deseado cuando se env\u00eda a un componente aguas abajo\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:A/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":3.3,\"accessVector\":\"ADJACENT_NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.5,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:philips:coronary_tools:1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0266F404-C684-4B08-A137-2572146C8406\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:philips:dynamic_coronary_roadmap:1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5AD07C53-5BF9-4F49-9F36-F456232B78A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:philips:interventional_workspot:1.3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"67EF6C48-A46E-465A-AC66-836B58089A0C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:philips:interventional_workspot:1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D997305F-1D4B-4F7C-94B2-FFB03189AD86\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:philips:interventional_workspot:1.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DD3D4DF4-D219-4DCD-B976-7695ABC711FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:philips:interventional_workspot:1.4.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A0BDE433-D4FA-4B9C-9003-066573695740\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:philips:interventional_workspot:1.4.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F57F0899-5A6D-47E2-9CF2-3A4BE60CC0C4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:philips:stentboost_live:1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C376C250-4247-4E0E-987A-2C37445F500B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:philips:viewforum:6.3v1l10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3B747A1-197A-4F85-8581-FBF0AB77662E\"}]}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-019-01\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.philips.com/a-w/security/security-advisories/product-security-2021.html#2021_archive\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.