VAR-201803-2077
Vulnerability from variot - Updated: 2023-12-18 14:01Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information. Philips ISCV The application contains a session deadline vulnerability.Information may be obtained and information may be altered. Philips IntelliSpace Cardiovascular (ISCV) is a comprehensive heart image and information management system. The Philips IntelliSpace Cardiovascular System has an unauthorized access vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. IntelliSpace Cardiovascular version 2.3.0 and prior versions are vulnerable. The system provides viewing of echographic images and a single point of access for physicians
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201803-2077",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "intellispace cardiovascular",
"scope": "lte",
"trust": 1.0,
"vendor": "philips",
"version": "2.3.0"
},
{
"model": "intellispace cardiovascular",
"scope": null,
"trust": 0.8,
"vendor": "philips",
"version": null
},
{
"model": "intellispace cardiovascular",
"scope": "lte",
"trust": 0.6,
"vendor": "philips",
"version": "\u003c=2.3.0"
},
{
"model": "intellispace cardiovascular",
"scope": "eq",
"trust": 0.6,
"vendor": "philips",
"version": "2.3.0"
},
{
"model": "intellispace cardiovascular",
"scope": "eq",
"trust": 0.3,
"vendor": "philips",
"version": "2.3"
},
{
"model": "intellispace cardiovascular",
"scope": "ne",
"trust": 0.3,
"vendor": "philips",
"version": "3.1"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "intellispace cardiovascular",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "e2e2dc62-39ab-11e9-8d44-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-02350"
},
{
"db": "BID",
"id": "102847"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003472"
},
{
"db": "NVD",
"id": "CVE-2018-5438"
},
{
"db": "CNNVD",
"id": "CNNVD-201802-357"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:philips:intellispace_cardiovascular:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.3.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-5438"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The vendor reported this issue.",
"sources": [
{
"db": "BID",
"id": "102847"
}
],
"trust": 0.3
},
"cve": "CVE-2018-5438",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.4,
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Local",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 3.3,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-5438",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Low",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2018-02350",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "e2e2dc62-39ab-11e9-8d44-000c29342cb1",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.4,
"id": "VHN-135469",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "LOW",
"trust": 0.1,
"vectorString": "AV:L/AC:M/AU:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.0,
"impactScore": 5.2,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
{
"attackComplexity": "High",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.3,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-5438",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-5438",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2018-02350",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201802-357",
"trust": 0.6,
"value": "LOW"
},
{
"author": "IVD",
"id": "e2e2dc62-39ab-11e9-8d44-000c29342cb1",
"trust": 0.2,
"value": "LOW"
},
{
"author": "VULHUB",
"id": "VHN-135469",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "e2e2dc62-39ab-11e9-8d44-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-02350"
},
{
"db": "VULHUB",
"id": "VHN-135469"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003472"
},
{
"db": "NVD",
"id": "CVE-2018-5438"
},
{
"db": "CNNVD",
"id": "CNNVD-201802-357"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information. Philips ISCV The application contains a session deadline vulnerability.Information may be obtained and information may be altered. Philips IntelliSpace Cardiovascular (ISCV) is a comprehensive heart image and information management system. The Philips IntelliSpace Cardiovascular System has an unauthorized access vulnerability. \nAttackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. \nIntelliSpace Cardiovascular version 2.3.0 and prior versions are vulnerable. The system provides viewing of echographic images and a single point of access for physicians",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-5438"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003472"
},
{
"db": "CNVD",
"id": "CNVD-2018-02350"
},
{
"db": "BID",
"id": "102847"
},
{
"db": "IVD",
"id": "e2e2dc62-39ab-11e9-8d44-000c29342cb1"
},
{
"db": "VULHUB",
"id": "VHN-135469"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-5438",
"trust": 3.6
},
{
"db": "ICS CERT",
"id": "ICSMA-18-025-01",
"trust": 3.4
},
{
"db": "BID",
"id": "102847",
"trust": 2.0
},
{
"db": "CNNVD",
"id": "CNNVD-201802-357",
"trust": 0.9
},
{
"db": "CNVD",
"id": "CNVD-2018-02350",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003472",
"trust": 0.8
},
{
"db": "IVD",
"id": "E2E2DC62-39AB-11E9-8D44-000C29342CB1",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-135469",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "e2e2dc62-39ab-11e9-8d44-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-02350"
},
{
"db": "VULHUB",
"id": "VHN-135469"
},
{
"db": "BID",
"id": "102847"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003472"
},
{
"db": "NVD",
"id": "CVE-2018-5438"
},
{
"db": "CNNVD",
"id": "CNNVD-201802-357"
}
]
},
"id": "VAR-201803-2077",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "e2e2dc62-39ab-11e9-8d44-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-02350"
},
{
"db": "VULHUB",
"id": "VHN-135469"
}
],
"trust": 1.3632353
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "e2e2dc62-39ab-11e9-8d44-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-02350"
}
]
},
"last_update_date": "2023-12-18T14:01:18.927000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Philips IntelliSpace Cardiovascular Vulnerabilities (24-JAN-2018)",
"trust": 0.8,
"url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
},
{
"title": "Philips IntelliSpace Cardiovascular Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=78450"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-003472"
},
{
"db": "CNNVD",
"id": "CNNVD-201802-357"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-613",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-135469"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003472"
},
{
"db": "NVD",
"id": "CVE-2018-5438"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.4,
"url": "https://ics-cert.us-cert.gov/advisories/icsma-18-025-01"
},
{
"trust": 2.0,
"url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/102847"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5438"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-5438"
},
{
"trust": 0.3,
"url": "http://www.usa.philips.com/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-02350"
},
{
"db": "VULHUB",
"id": "VHN-135469"
},
{
"db": "BID",
"id": "102847"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003472"
},
{
"db": "NVD",
"id": "CVE-2018-5438"
},
{
"db": "CNNVD",
"id": "CNNVD-201802-357"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "e2e2dc62-39ab-11e9-8d44-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-02350"
},
{
"db": "VULHUB",
"id": "VHN-135469"
},
{
"db": "BID",
"id": "102847"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-003472"
},
{
"db": "NVD",
"id": "CVE-2018-5438"
},
{
"db": "CNNVD",
"id": "CNNVD-201802-357"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-01-31T00:00:00",
"db": "IVD",
"id": "e2e2dc62-39ab-11e9-8d44-000c29342cb1"
},
{
"date": "2018-01-31T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-02350"
},
{
"date": "2018-03-20T00:00:00",
"db": "VULHUB",
"id": "VHN-135469"
},
{
"date": "2018-01-25T00:00:00",
"db": "BID",
"id": "102847"
},
{
"date": "2018-05-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-003472"
},
{
"date": "2018-03-20T17:29:00.363000",
"db": "NVD",
"id": "CVE-2018-5438"
},
{
"date": "2018-02-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201802-357"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-01-31T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-02350"
},
{
"date": "2018-04-20T00:00:00",
"db": "VULHUB",
"id": "VHN-135469"
},
{
"date": "2018-01-25T00:00:00",
"db": "BID",
"id": "102847"
},
{
"date": "2018-05-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-003472"
},
{
"date": "2018-04-20T15:02:28.600000",
"db": "NVD",
"id": "CVE-2018-5438"
},
{
"date": "2018-03-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201802-357"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "102847"
},
{
"db": "CNNVD",
"id": "CNNVD-201802-357"
}
],
"trust": 0.9
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Philips IntelliSpace Cardiovascular System Unauthorized Access Vulnerability",
"sources": [
{
"db": "IVD",
"id": "e2e2dc62-39ab-11e9-8d44-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-02350"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lack of information",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201802-357"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…