Sign-up

ID

VAR-201809-1090


CVE

CVE-2018-8848


TITLE

Philips e-Alert Unit Permissions vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-010696

DESCRIPTION

Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The software, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor. Philips e-Alert is prone to the following security vulnerabilities: 1. An input-validation vulnerability 2. A cross-site scripting vulnerability 3. Multiple information-disclosure vulnerabilities 4. An insecure default permissions vulnerability 5. A cross-site request-forgery vulnerability 6. A session-fixation vulnerability 7. A denial-of-service vulnerability 8. A security-bypass vulnerability Attackers may exploit these issues to gain unauthorized access to the affected device, or to bypass certain security restrictions to perform unauthorized actions, to compromise the application to access or modify data and to exploit vulnerabilities in the underlying database, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or to execute arbitrary code within the context of the affected device. e-Alert R2.1 and prior are vulnerable. Philips e-Alert is an electronic alert solution for MRI systems from Philips, the Netherlands. It is mainly used to monitor the performance of MRI systems and issue alerts. An attacker could exploit this vulnerability to gain elevated privileges

Trust: 1.98

sources: NVD: CVE-2018-8848 // JVNDB: JVNDB-2018-010696 // BID: 105194 // VULHUB: VHN-138880

AFFECTED PRODUCTS

vendor:philipsmodel:e-alertscope:lteversion:r2.1

Trust: 1.8

vendor:philipsmodel:e-alertscope:eqversion:r2.1

Trust: 0.6

vendor:philipsmodel:e-alert r2.1scope: - version: -

Trust: 0.3

vendor:philipsmodel:e-alert r2scope: - version: -

Trust: 0.3

sources: BID: 105194 // JVNDB: JVNDB-2018-010696 // CNNVD: CNNVD-201809-113 // NVD: CVE-2018-8848

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-8848
value: HIGH

Trust: 1.0

NVD: CVE-2018-8848
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201809-113
value: HIGH

Trust: 0.6

VULHUB: VHN-138880
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-8848
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-138880
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-8848
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2018-8848
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-138880 // JVNDB: JVNDB-2018-010696 // CNNVD: CNNVD-201809-113 // NVD: CVE-2018-8848

PROBLEMTYPE DATA

problemtype:CWE-276

Trust: 1.1

problemtype:CWE-732

Trust: 1.1

problemtype:CWE-275

Trust: 0.9

sources: VULHUB: VHN-138880 // JVNDB: JVNDB-2018-010696 // NVD: CVE-2018-8848

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-113

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201809-113

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-010696

PATCH
title:Philips e-Alert Unit Vulnerabilities (30-AUG-2018)url:https://www.usa.philips.com/healthcare/about/customer-support/product-security
Trust: 0.8
title:Philips e-Alert Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84474
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-010696 // 
            
            
            
            CNNVD: CNNVD-201809-113

EXTERNAL IDS
db:NVDid:CVE-2018-8848
Trust: 2.8
db:ICS CERTid:ICSA-18-242-01
Trust: 2.8
db:BIDid:105194
Trust: 2.0
db:JVNDBid:JVNDB-2018-010696
Trust: 0.8
db:CNNVDid:CNNVD-201809-113
Trust: 0.7
db:VULHUBid:VHN-138880
Trust: 0.1
sources:
            
            
            VULHUB: VHN-138880 // 
            
            
            
            BID: 105194 // 
            
            
            
            JVNDB: JVNDB-2018-010696 // 
            
            
            
            CNNVD: CNNVD-201809-113 // 
            
            
            
            NVD: CVE-2018-8848

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-242-01
Trust: 2.8
url:http://www.securityfocus.com/bid/105194
Trust: 1.7
url:https://www.usa.philips.com/healthcare/about/customer-support/product-security
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8848
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-8848
Trust: 0.8
sources:
            
            
            VULHUB: VHN-138880 // 
            
            
            
            BID: 105194 // 
            
            
            
            JVNDB: JVNDB-2018-010696 // 
            
            
            
            CNNVD: CNNVD-201809-113 // 
            
            
            
            NVD: CVE-2018-8848

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 105194

SOURCES
db:VULHUBid:VHN-138880
db:BIDid:105194
db:JVNDBid:JVNDB-2018-010696
db:CNNVDid:CNNVD-201809-113
db:NVDid:CVE-2018-8848

LAST UPDATE DATE
2024-11-23T22:26:13.076000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-138880date:2020-09-29T00:00:00
db:BIDid:105194date:2018-08-30T00:00:00
db:JVNDBid:JVNDB-2018-010696date:2018-12-20T00:00:00
db:CNNVDid:CNNVD-201809-113date:2020-10-23T00:00:00
db:NVDid:CVE-2018-8848date:2024-11-21T04:14:26.713

SOURCES RELEASE DATE
db:VULHUBid:VHN-138880date:2018-09-26T00:00:00
db:BIDid:105194date:2018-08-30T00:00:00
db:JVNDBid:JVNDB-2018-010696date:2018-12-20T00:00:00
db:CNNVDid:CNNVD-201809-113date:2018-09-04T00:00:00
db:NVDid:CVE-2018-8848date:2018-09-26T19:29:01.800