Sign-up

ID

VAR-201809-1092


CVE

CVE-2018-8852


TITLE

Philips e-Alert Unit Session fixation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-010698

DESCRIPTION

Philips e-Alert Unit (non-medical device), Version R2.1 and prior. When authenticating a user or otherwise establishing a new user session, the software gives an attacker the opportunity to steal authenticated sessions without invalidating any existing session identifier. Philips e-Alert Unit Contains a session fixation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Philips e-Alert is prone to the following security vulnerabilities: 1. An input-validation vulnerability 2. A cross-site scripting vulnerability 3. Multiple information-disclosure vulnerabilities 4. An insecure default permissions vulnerability 5. A cross-site request-forgery vulnerability 6. A session-fixation vulnerability 7. A denial-of-service vulnerability 8. A security-bypass vulnerability Attackers may exploit these issues to gain unauthorized access to the affected device, or to bypass certain security restrictions to perform unauthorized actions, to compromise the application to access or modify data and to exploit vulnerabilities in the underlying database, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or to execute arbitrary code within the context of the affected device. e-Alert R2.1 and prior are vulnerable. Philips e-Alert is an electronic alert solution for MRI systems from Philips, the Netherlands. It is mainly used to monitor the performance of MRI systems and issue alerts. A session fixation vulnerability exists in Philips e-Alert R2.1 and earlier versions

Trust: 1.98

sources: NVD: CVE-2018-8852 // JVNDB: JVNDB-2018-010698 // BID: 105194 // VULHUB: VHN-138884

AFFECTED PRODUCTS

vendor:philipsmodel:e-alertscope:lteversion:r2.1

Trust: 1.8

vendor:philipsmodel:e-alertscope:eqversion:r2.1

Trust: 0.6

vendor:philipsmodel:e-alert r2.1scope: - version: -

Trust: 0.3

vendor:philipsmodel:e-alert r2scope: - version: -

Trust: 0.3

sources: BID: 105194 // JVNDB: JVNDB-2018-010698 // CNNVD: CNNVD-201809-116 // NVD: CVE-2018-8852

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-8852
value: HIGH

Trust: 1.0

NVD: CVE-2018-8852
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201809-116
value: HIGH

Trust: 0.6

VULHUB: VHN-138884
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-8852
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-138884
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-8852
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-138884 // JVNDB: JVNDB-2018-010698 // CNNVD: CNNVD-201809-116 // NVD: CVE-2018-8852

PROBLEMTYPE DATA

problemtype:CWE-384

Trust: 1.9

sources: VULHUB: VHN-138884 // JVNDB: JVNDB-2018-010698 // NVD: CVE-2018-8852

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-116

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201809-116

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-010698

PATCH
title:Philips e-Alert Unit Vulnerabilities (30-AUG-2018)url:https://www.usa.philips.com/healthcare/about/customer-support/product-security
Trust: 0.8
title:Philips e-Alert Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84477
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-010698 // 
            
            
            
            CNNVD: CNNVD-201809-116

EXTERNAL IDS
db:ICS CERTid:ICSA-18-242-01
Trust: 2.8
db:NVDid:CVE-2018-8852
Trust: 2.8
db:BIDid:105194
Trust: 2.0
db:JVNDBid:JVNDB-2018-010698
Trust: 0.8
db:CNNVDid:CNNVD-201809-116
Trust: 0.7
db:VULHUBid:VHN-138884
Trust: 0.1
sources:
            
            
            VULHUB: VHN-138884 // 
            
            
            
            BID: 105194 // 
            
            
            
            JVNDB: JVNDB-2018-010698 // 
            
            
            
            CNNVD: CNNVD-201809-116 // 
            
            
            
            NVD: CVE-2018-8852

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-242-01
Trust: 2.8
url:http://www.securityfocus.com/bid/105194
Trust: 1.7
url:https://www.usa.philips.com/healthcare/about/customer-support/product-security
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8852
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-8852
Trust: 0.8
sources:
            
            
            VULHUB: VHN-138884 // 
            
            
            
            BID: 105194 // 
            
            
            
            JVNDB: JVNDB-2018-010698 // 
            
            
            
            CNNVD: CNNVD-201809-116 // 
            
            
            
            NVD: CVE-2018-8852

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 105194

SOURCES
db:VULHUBid:VHN-138884
db:BIDid:105194
db:JVNDBid:JVNDB-2018-010698
db:CNNVDid:CNNVD-201809-116
db:NVDid:CVE-2018-8852

LAST UPDATE DATE
2024-11-23T22:26:12.923000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-138884date:2019-10-09T00:00:00
db:BIDid:105194date:2018-08-30T00:00:00
db:JVNDBid:JVNDB-2018-010698date:2018-12-20T00:00:00
db:CNNVDid:CNNVD-201809-116date:2019-10-17T00:00:00
db:NVDid:CVE-2018-8852date:2024-11-21T04:14:27.230

SOURCES RELEASE DATE
db:VULHUBid:VHN-138884date:2018-09-26T00:00:00
db:BIDid:105194date:2018-08-30T00:00:00
db:JVNDBid:JVNDB-2018-010698date:2018-12-20T00:00:00
db:CNNVDid:CNNVD-201809-116date:2018-09-04T00:00:00
db:NVDid:CVE-2018-8852date:2018-09-26T19:29:02.597