CVE-2018-5438

{"id": "CVE-2018-5438", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.3, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.0}]}, "published": "2018-03-20T17:29:00.363", "references": [{"url": "http://www.securityfocus.com/bid/102847", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-025-01", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security", "tags": ["Mitigation", "Vendor Advisory"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information."}, {"lang": "es", "value": "La aplicaci\u00f3n Philips ISCV, en versiones anteriores a la 2.3.0, tiene una vulnerabilidad de expiraci\u00f3n insuficiente de sesi\u00f3n donde un atacante podr\u00eda reutilizar la sesi\u00f3n de un usuario que haya iniciado sesi\u00f3n anteriormente. La vulnerabilidad existe al emplear ISCV junto con un sistema EMR (Electronic Medical Record) cuando ISCV est\u00e1 en modo KIOSK para m\u00faltiples usuarios y empleando autenticaci\u00f3n de Windows. Esto podr\u00eda permitir que un atacante obtenga acceso no autorizado a informaci\u00f3n de salud del paciente y que pueda modificarla."}], "lastModified": "2018-04-20T15:02:28.600", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:philips:intellispace_cardiovascular:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53695467-C883-4602-92F9-1D3BE724C447", "versionEndIncluding": "2.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}