ID

VAR-202009-0605


CVE

CVE-2020-16218


TITLE

Philips Patient Information Center iX Cross-site scripting vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202009-683

DESCRIPTION

In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Successful exploitation could lead to unauthorized access to patient data via a read-only web application. A vulnerability exists in Patient Information. The vulnerability stems from special elements that may be interpreted as commands when spreadsheet software opens the file. The following products and versions are affected: B.02, C.02, C.03

Trust: 0.99

sources: NVD: CVE-2020-16218 // VULHUB: VHN-169274

AFFECTED PRODUCTS

vendor:philipsmodel:patient information center ixscope:eqversion:c.03

Trust: 1.0

vendor:philipsmodel:patient information center ixscope:eqversion:c.02

Trust: 1.0

vendor:philipsmodel:patient information center ixscope:eqversion:b.02

Trust: 1.0

sources: NVD: CVE-2020-16218

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-16218
value: LOW

Trust: 1.0

CNNVD: CNNVD-202009-683
value: LOW

Trust: 0.6

VULHUB: VHN-169274
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-16218
severity: LOW
baseScore: 2.7
vectorString: AV:A/AC:L/AU:S/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 5.1
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-169274
severity: LOW
baseScore: 2.7
vectorString: AV:A/AC:L/AU:S/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 5.1
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-16218
baseSeverity: LOW
baseScore: 3.5
vectorString: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.1
impactScore: 1.4
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-169274 // CNNVD: CNNVD-202009-683 // NVD: CVE-2020-16218

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

sources: VULHUB: VHN-169274 // NVD: CVE-2020-16218

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202009-683

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202009-683

PATCH

title:Patient Information Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=128125

Trust: 0.6

sources: CNNVD: CNNVD-202009-683

EXTERNAL IDS

db:NVDid:CVE-2020-16218

Trust: 1.7

db:ICS CERTid:ICSMA-20-254-01

Trust: 1.7

db:CNNVDid:CNNVD-202009-683

Trust: 0.7

db:AUSCERTid:ESB-2020.3140

Trust: 0.6

db:VULHUBid:VHN-169274

Trust: 0.1

sources: VULHUB: VHN-169274 // CNNVD: CNNVD-202009-683 // NVD: CVE-2020-16218

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01

Trust: 2.3

url:https://www.philips.com/productsecurity

Trust: 1.0

url:https://www.auscert.org.au/bulletins/esb-2020.3140/

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2020-16218

Trust: 0.6

sources: VULHUB: VHN-169274 // CNNVD: CNNVD-202009-683 // NVD: CVE-2020-16218

CREDITS

in the context of the BSI project ManiMed (Manipulation of medical devices), Germany,Julian Suleder, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Dr. Oliver Matula of ERNW Enno, which reported these to Philips., Nils Emmerich, Birk Kauer of ERNW Research GmbH

Trust: 0.6

sources: CNNVD: CNNVD-202009-683

SOURCES

db:VULHUBid:VHN-169274
db:CNNVDid:CNNVD-202009-683
db:NVDid:CVE-2020-16218

LAST UPDATE DATE

2024-11-23T21:35:20.112000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-169274date:2020-09-15T00:00:00
db:CNNVDid:CNNVD-202009-683date:2022-03-08T00:00:00
db:NVDid:CVE-2020-16218date:2024-11-21T05:06:57.580

SOURCES RELEASE DATE

db:VULHUBid:VHN-169274date:2020-09-11T00:00:00
db:CNNVDid:CNNVD-202009-683date:2020-09-10T00:00:00
db:NVDid:CVE-2020-16218date:2020-09-11T13:15:11.237