VAR-202009-0318
Vulnerability from variot - Updated: 2023-12-18 11:58Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly. Clinical Collaboration Platform Is vulnerable to several vulnerabilities: * Cross-site request forgery (CWE-352) - CVE-2020-14506 *Web Improperly invalidating scripts in page tag attributes (CWE-83) - CVE-2020-14525 * Malfunction of protection mechanism (CWE-693) - CVE-2020-16198 * Algorithm downgrade (CWE-757) - CVE-2020-16200 * Environmental setting (CWE-16) - CVE-2020-16247The expected impact depends on each vulnerability, but it may be affected as follows. * When a user who logs in to the product accesses a specially crafted page, he / she is forced to perform an unintended operation. - CVE-2020-14506 * Arbitrary script is executed by the user who logged in to the product - CVE-2020-14525 * Authentication is bypassed and unauthorized access is made by an adjacent third party - CVE-2020-16198 * Adjacent third parties cause resource exhaustion and disrupt service operations (DoS) Be in a state - CVE-2020-16200 * Unauthorized access to sensitive information by a third party - CVE-2020-16247. Attackers can use this vulnerability to conduct cross-site request forgery attacks
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202009-0318",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "clinical collaboration platform",
"scope": "lte",
"trust": 1.0,
"vendor": "philips",
"version": "12.2.1"
},
{
"model": "clinical collaboration platform",
"scope": "eq",
"trust": 0.8,
"vendor": "philips",
"version": "12.2.1"
},
{
"model": "clinical collaboration platform",
"scope": "lte",
"trust": 0.6,
"vendor": "philips",
"version": "\u003c=12.2.1"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-52882"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008764"
},
{
"db": "NVD",
"id": "CVE-2020-14506"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:philips:clinical_collaboration_platform:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "12.2.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-14506"
}
]
},
"cve": "CVE-2020-14506",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CNVD-2020-52882",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "LOW",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-167391",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "IPA score",
"availabilityImpact": "None",
"baseScore": 3.4,
"baseSeverity": "Low",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "JVNDB-2020-008764",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "High",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Adjacent Network",
"author": "IPA score",
"availabilityImpact": "None",
"baseScore": 3.5,
"baseSeverity": "Low",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "JVNDB-2020-008764",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
{
"attackComplexity": "High",
"attackVector": "Adjacent Network",
"author": "IPA score",
"availabilityImpact": "Low",
"baseScore": 5.0,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "JVNDB-2020-008764",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Adjacent Network",
"author": "IPA score",
"availabilityImpact": "High",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-008764",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "IPA score",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-008764",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "IPA",
"id": "JVNDB-2020-008764",
"trust": 2.4,
"value": "Medium"
},
{
"author": "IPA",
"id": "JVNDB-2020-008764",
"trust": 1.6,
"value": "Low"
},
{
"author": "NVD",
"id": "CVE-2020-14506",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2020-52882",
"trust": 0.6,
"value": "LOW"
},
{
"author": "CNNVD",
"id": "CNNVD-202009-1051",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-167391",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-52882"
},
{
"db": "VULHUB",
"id": "VHN-167391"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008764"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008764"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008764"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008764"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008764"
},
{
"db": "NVD",
"id": "CVE-2020-14506"
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1051"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly. Clinical Collaboration Platform Is vulnerable to several vulnerabilities: * Cross-site request forgery (CWE-352) - CVE-2020-14506 *Web Improperly invalidating scripts in page tag attributes (CWE-83) - CVE-2020-14525 * Malfunction of protection mechanism (CWE-693) - CVE-2020-16198 * Algorithm downgrade (CWE-757) - CVE-2020-16200 * Environmental setting (CWE-16) - CVE-2020-16247The expected impact depends on each vulnerability, but it may be affected as follows. * When a user who logs in to the product accesses a specially crafted page, he / she is forced to perform an unintended operation. - CVE-2020-14506 * Arbitrary script is executed by the user who logged in to the product - CVE-2020-14525 * Authentication is bypassed and unauthorized access is made by an adjacent third party - CVE-2020-16198 * Adjacent third parties cause resource exhaustion and disrupt service operations (DoS) Be in a state - CVE-2020-16200 * Unauthorized access to sensitive information by a third party - CVE-2020-16247. Attackers can use this vulnerability to conduct cross-site request forgery attacks",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-14506"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008764"
},
{
"db": "CNVD",
"id": "CNVD-2020-52882"
},
{
"db": "VULHUB",
"id": "VHN-167391"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "ICS CERT",
"id": "ICSMA-20-261-01",
"trust": 3.1
},
{
"db": "NVD",
"id": "CVE-2020-14506",
"trust": 3.1
},
{
"db": "JVN",
"id": "JVNVU94803567",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008764",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2020-52882",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2020.3220",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1051",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-167391",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-52882"
},
{
"db": "VULHUB",
"id": "VHN-167391"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008764"
},
{
"db": "NVD",
"id": "CVE-2020-14506"
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1051"
}
]
},
"id": "VAR-202009-0318",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-52882"
},
{
"db": "VULHUB",
"id": "VHN-167391"
}
],
"trust": 1.2999999999999998
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-52882"
}
]
},
"last_update_date": "2023-12-18T11:58:02.016000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Product Security ",
"trust": 0.8,
"url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
},
{
"title": "Patch for Philips Clinical Collaboration Platform cross-site request forgery vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/234892"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-52882"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008764"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-352",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-167391"
},
{
"db": "NVD",
"id": "CVE-2020-14506"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.7,
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-16200"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-16247"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-14506"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-14525"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-16198"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu94803567"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14506"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3220/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-52882"
},
{
"db": "VULHUB",
"id": "VHN-167391"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008764"
},
{
"db": "NVD",
"id": "CVE-2020-14506"
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1051"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-52882"
},
{
"db": "VULHUB",
"id": "VHN-167391"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008764"
},
{
"db": "NVD",
"id": "CVE-2020-14506"
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1051"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-09-19T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-52882"
},
{
"date": "2020-09-18T00:00:00",
"db": "VULHUB",
"id": "VHN-167391"
},
{
"date": "2020-09-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-008764"
},
{
"date": "2020-09-18T18:15:16.583000",
"db": "NVD",
"id": "CVE-2020-14506"
},
{
"date": "2020-09-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202009-1051"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-09-19T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-52882"
},
{
"date": "2020-09-25T00:00:00",
"db": "VULHUB",
"id": "VHN-167391"
},
{
"date": "2020-09-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-008764"
},
{
"date": "2020-09-25T18:18:08.977000",
"db": "NVD",
"id": "CVE-2020-14506"
},
{
"date": "2020-09-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202009-1051"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202009-1051"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Philips Clinical Collaboration Platform cross-site request forgery vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-52882"
},
{
"db": "CNNVD",
"id": "CNNVD-202009-1051"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "cross-site request forgery",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202009-1051"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…