Details of VAR-201809-0149

ID

VAR-201809-0149

CVE

CVE-2018-14803

TITLE

Philips e-Alert Unit Vulnerable to information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2018-010911

DESCRIPTION

Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The Philips e-Alert contains a banner disclosure vulnerability that could allow attackers to obtain extraneous product information, such as OS and software components, via the HTTP response header that is normally not available to the attacker, but might be useful information in an attack. Philips e-Alert is prone to the following security vulnerabilities: 1. An input-validation vulnerability 2. A cross-site scripting vulnerability 3. Multiple information-disclosure vulnerabilities 4. An insecure default permissions vulnerability 5. A cross-site request-forgery vulnerability 6. A session-fixation vulnerability 7. A denial-of-service vulnerability 8. A security-bypass vulnerability Attackers may exploit these issues to gain unauthorized access to the affected device, or to bypass certain security restrictions to perform unauthorized actions, to compromise the application to access or modify data and to exploit vulnerabilities in the underlying database, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or to execute arbitrary code within the context of the affected device. e-Alert R2.1 and prior are vulnerable. Philips e-Alert is an electronic alert solution for MRI systems from Philips, the Netherlands. It is mainly used to monitor the performance of MRI systems and issue alerts

Trust: 1.98

sources: NVD: CVE-2018-14803 // JVNDB: JVNDB-2018-010911 // BID: 105194 // VULHUB: VHN-124999

AFFECTED PRODUCTS

vendor:	philips	model:	e-alert	scope:	lte	version:	r2.1	Trust: 1.8
vendor:	philips	model:	e-alert	scope:	eq	version:	r2.1	Trust: 0.6
vendor:	philips	model:	e-alert r2.1	scope:	-	version:	-	Trust: 0.3
vendor:	philips	model:	e-alert r2	scope:	-	version:	-	Trust: 0.3

sources: BID: 105194 // JVNDB: JVNDB-2018-010911 // CNNVD: CNNVD-201809-112 // NVD: CVE-2018-14803

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-14803
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-14803
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201809-112
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-124999
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-14803
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-124999
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-14803
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-124999 // JVNDB: JVNDB-2018-010911 // CNNVD: CNNVD-201809-112 // NVD: CVE-2018-14803

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-124999 // JVNDB: JVNDB-2018-010911 // NVD: CVE-2018-14803

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-112

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201809-112

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-010911

PATCH

title:	Philips e-Alert Unit Vulnerabilities (30-AUG-2018)	url:	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Trust: 0.8
title:	Philips e-Alert Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84473	Trust: 0.6

sources: JVNDB: JVNDB-2018-010911 // CNNVD: CNNVD-201809-112

EXTERNAL IDS

db:	ICS CERT	id:	ICSA-18-242-01	Trust: 2.8
db:	NVD	id:	CVE-2018-14803	Trust: 2.8
db:	BID	id:	105194	Trust: 2.0
db:	JVNDB	id:	JVNDB-2018-010911	Trust: 0.8
db:	CNNVD	id:	CNNVD-201809-112	Trust: 0.7
db:	VULHUB	id:	VHN-124999	Trust: 0.1

sources: VULHUB: VHN-124999 // BID: 105194 // JVNDB: JVNDB-2018-010911 // CNNVD: CNNVD-201809-112 // NVD: CVE-2018-14803

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-242-01	Trust: 2.8
url:	http://www.securityfocus.com/bid/105194	Trust: 1.7
url:	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14803	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-14803	Trust: 0.8

sources: VULHUB: VHN-124999 // BID: 105194 // JVNDB: JVNDB-2018-010911 // CNNVD: CNNVD-201809-112 // NVD: CVE-2018-14803

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 105194

SOURCES

db:	VULHUB	id:	VHN-124999
db:	BID	id:	105194
db:	JVNDB	id:	JVNDB-2018-010911
db:	CNNVD	id:	CNNVD-201809-112
db:	NVD	id:	CVE-2018-14803

LAST UPDATE DATE

2024-11-23T22:26:13.046000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-124999	date:	2019-10-09T00:00:00
db:	BID	id:	105194	date:	2018-08-30T00:00:00
db:	JVNDB	id:	JVNDB-2018-010911	date:	2018-12-27T00:00:00
db:	CNNVD	id:	CNNVD-201809-112	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-14803	date:	2024-11-21T03:49:49.790

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-124999	date:	2018-09-26T00:00:00
db:	BID	id:	105194	date:	2018-08-30T00:00:00
db:	JVNDB	id:	JVNDB-2018-010911	date:	2018-12-27T00:00:00
db:	CNNVD	id:	CNNVD-201809-112	date:	2018-09-04T00:00:00
db:	NVD	id:	CVE-2018-14803	date:	2018-09-26T19:29:00.333