Sign-up

ID

VAR-201809-1166


CVE

CVE-2018-8844


TITLE

Philips e-Alert Unit Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2018-010694

DESCRIPTION

Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Philips e-Alert Unit Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Philips e-Alert is prone to the following security vulnerabilities: 1. An input-validation vulnerability 2. A cross-site scripting vulnerability 3. Multiple information-disclosure vulnerabilities 4. An insecure default permissions vulnerability 5. A cross-site request-forgery vulnerability 6. A session-fixation vulnerability 7. A denial-of-service vulnerability 8. A security-bypass vulnerability Attackers may exploit these issues to gain unauthorized access to the affected device, or to bypass certain security restrictions to perform unauthorized actions, to compromise the application to access or modify data and to exploit vulnerabilities in the underlying database, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or to execute arbitrary code within the context of the affected device. e-Alert R2.1 and prior are vulnerable. Philips e-Alert is an electronic alert solution for MRI systems from Philips, the Netherlands. It is mainly used to monitor the performance of MRI systems and issue alerts. There is a cross-site request forgery vulnerability in Philips e-Alert R2.1 and earlier versions. A remote attacker could exploit this vulnerability to perform unauthorized operations

Trust: 1.98

sources: NVD: CVE-2018-8844 // JVNDB: JVNDB-2018-010694 // BID: 105194 // VULHUB: VHN-138876

AFFECTED PRODUCTS

vendor:philipsmodel:e-alertscope:lteversion:r2.1

Trust: 1.8

vendor:philipsmodel:e-alertscope:eqversion:r2.1

Trust: 0.6

vendor:philipsmodel:e-alert r2.1scope: - version: -

Trust: 0.3

vendor:philipsmodel:e-alert r2scope: - version: -

Trust: 0.3

sources: BID: 105194 // JVNDB: JVNDB-2018-010694 // CNNVD: CNNVD-201809-115 // NVD: CVE-2018-8844

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-8844
value: HIGH

Trust: 1.0

NVD: CVE-2018-8844
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201809-115
value: HIGH

Trust: 0.6

VULHUB: VHN-138876
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-8844
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-138876
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-8844
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-138876 // JVNDB: JVNDB-2018-010694 // CNNVD: CNNVD-201809-115 // NVD: CVE-2018-8844

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-138876 // JVNDB: JVNDB-2018-010694 // NVD: CVE-2018-8844

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-115

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201809-115

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-010694

PATCH
title:Philips e-Alert Unit Vulnerabilities (30-AUG-2018)url:https://www.usa.philips.com/healthcare/about/customer-support/product-security
Trust: 0.8
title:Philips e-Alert Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84476
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-010694 // 
            
            
            
            CNNVD: CNNVD-201809-115

EXTERNAL IDS
db:ICS CERTid:ICSA-18-242-01
Trust: 2.8
db:NVDid:CVE-2018-8844
Trust: 2.8
db:BIDid:105194
Trust: 2.0
db:JVNDBid:JVNDB-2018-010694
Trust: 0.8
db:CNNVDid:CNNVD-201809-115
Trust: 0.7
db:VULHUBid:VHN-138876
Trust: 0.1
sources:
            
            
            VULHUB: VHN-138876 // 
            
            
            
            BID: 105194 // 
            
            
            
            JVNDB: JVNDB-2018-010694 // 
            
            
            
            CNNVD: CNNVD-201809-115 // 
            
            
            
            NVD: CVE-2018-8844

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-242-01
Trust: 2.8
url:http://www.securityfocus.com/bid/105194
Trust: 1.7
url:https://www.usa.philips.com/healthcare/about/customer-support/product-security
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8844
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-8844
Trust: 0.8
sources:
            
            
            VULHUB: VHN-138876 // 
            
            
            
            BID: 105194 // 
            
            
            
            JVNDB: JVNDB-2018-010694 // 
            
            
            
            CNNVD: CNNVD-201809-115 // 
            
            
            
            NVD: CVE-2018-8844

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 105194

SOURCES
db:VULHUBid:VHN-138876
db:BIDid:105194
db:JVNDBid:JVNDB-2018-010694
db:CNNVDid:CNNVD-201809-115
db:NVDid:CVE-2018-8844

LAST UPDATE DATE
2024-11-23T22:26:12.985000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-138876date:2019-10-09T00:00:00
db:BIDid:105194date:2018-08-30T00:00:00
db:JVNDBid:JVNDB-2018-010694date:2018-12-20T00:00:00
db:CNNVDid:CNNVD-201809-115date:2019-10-17T00:00:00
db:NVDid:CVE-2018-8844date:2024-11-21T04:14:26.177

SOURCES RELEASE DATE
db:VULHUBid:VHN-138876date:2018-09-26T00:00:00
db:BIDid:105194date:2018-08-30T00:00:00
db:JVNDBid:JVNDB-2018-010694date:2018-12-20T00:00:00
db:CNNVDid:CNNVD-201809-115date:2018-09-04T00:00:00
db:NVDid:CVE-2018-8844date:2018-09-26T19:29:01.037