Details of VAR-202009-0607

ID

VAR-202009-0607

CVE

CVE-2020-16222

TITLE

Philips Patient Information Center iX Authorization problem vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202009-679

DESCRIPTION

In Patient Information Center iX (PICiX) Version B.02, C.02, C.03, and PerformanceBridge Focal Point Version A.01, when an actor claims to have a given identity, the software does not prove or insufficiently proves the claim is correct. A vulnerability exists in Patient Information. The vulnerability stems from special elements that may be interpreted as commands when spreadsheet software opens the file. The following products and versions are affected: B.02, C.02, C.03

Trust: 0.99

sources: NVD: CVE-2020-16222 // VULHUB: VHN-169279

AFFECTED PRODUCTS

vendor:	philips	model:	performancebridge focal point	scope:	eq	version:	a.01	Trust: 1.0
vendor:	philips	model:	patient information center ix	scope:	eq	version:	c.03	Trust: 1.0
vendor:	philips	model:	patient information center ix	scope:	eq	version:	c.02	Trust: 1.0
vendor:	philips	model:	patient information center ix	scope:	eq	version:	b.02	Trust: 1.0

sources: NVD: CVE-2020-16222

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-16222
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202009-679
value:	HIGH
Trust: 0.6
VULHUB:	VHN-169279
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-16222
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-169279
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-16222
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-169279 // CNNVD: CNNVD-202009-679 // NVD: CVE-2020-16222

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.1

sources: VULHUB: VHN-169279 // NVD: CVE-2020-16222

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202009-679

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202009-679

PATCH

title:

Patient Information Security vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=128121

Trust: 0.6

sources: CNNVD: CNNVD-202009-679

EXTERNAL IDS

db:	ICS CERT	id:	ICSMA-20-254-01	Trust: 1.7
db:	NVD	id:	CVE-2020-16222	Trust: 1.7
db:	CNNVD	id:	CNNVD-202009-679	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.3140	Trust: 0.6
db:	VULHUB	id:	VHN-169279	Trust: 0.1

sources: VULHUB: VHN-169279 // CNNVD: CNNVD-202009-679 // NVD: CVE-2020-16222

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01	Trust: 2.3
url:	https://www.philips.com/productsecurity	Trust: 1.0
url:	https://www.auscert.org.au/bulletins/esb-2020.3140/	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-16222	Trust: 0.6

sources: VULHUB: VHN-169279 // CNNVD: CNNVD-202009-679 // NVD: CVE-2020-16222

CREDITS

in the context of the BSI project ManiMed (Manipulation of medical devices), Germany,Julian Suleder, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Dr. Oliver Matula of ERNW Enno, which reported these to Philips., Nils Emmerich, Birk Kauer of ERNW Research GmbH

Trust: 0.6

sources: CNNVD: CNNVD-202009-679

SOURCES

db:	VULHUB	id:	VHN-169279
db:	CNNVD	id:	CNNVD-202009-679
db:	NVD	id:	CVE-2020-16222

LAST UPDATE DATE

2024-08-14T13:43:56.143000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-169279	date:	2020-09-15T00:00:00
db:	CNNVD	id:	CNNVD-202009-679	date:	2022-03-08T00:00:00
db:	NVD	id:	CVE-2020-16222	date:	2023-12-12T21:15:07.800

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-169279	date:	2020-09-11T00:00:00
db:	CNNVD	id:	CNNVD-202009-679	date:	2020-09-10T00:00:00
db:	NVD	id:	CVE-2020-16222	date:	2020-09-11T13:15:11.300