Sign-up

ID

VAR-201809-1167


CVE

CVE-2018-8846


TITLE

Philips e-Alert Unit Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-010695

DESCRIPTION

Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is then served to other users. Philips e-Alert Unit Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Philips e-Alert is prone to the following security vulnerabilities: 1. An input-validation vulnerability 2. A cross-site scripting vulnerability 3. Multiple information-disclosure vulnerabilities 4. An insecure default permissions vulnerability 5. A cross-site request-forgery vulnerability 6. A session-fixation vulnerability 7. A denial-of-service vulnerability 8. A security-bypass vulnerability Attackers may exploit these issues to gain unauthorized access to the affected device, or to bypass certain security restrictions to perform unauthorized actions, to compromise the application to access or modify data and to exploit vulnerabilities in the underlying database, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or to execute arbitrary code within the context of the affected device. e-Alert R2.1 and prior are vulnerable. Philips e-Alert is an electronic alert solution for MRI systems from Philips, the Netherlands. It is mainly used to monitor the performance of MRI systems and issue alerts. The vulnerability stems from the fact that the program does not properly filter the input submitted by the user. A remote attacker could exploit this vulnerability to execute scripts in the user's browser

Trust: 1.98

sources: NVD: CVE-2018-8846 // JVNDB: JVNDB-2018-010695 // BID: 105194 // VULHUB: VHN-138878

AFFECTED PRODUCTS

vendor:philipsmodel:e-alertscope:lteversion:r2.1

Trust: 1.8

vendor:philipsmodel:e-alertscope:eqversion:r2.1

Trust: 0.6

vendor:philipsmodel:e-alert r2.1scope: - version: -

Trust: 0.3

vendor:philipsmodel:e-alert r2scope: - version: -

Trust: 0.3

sources: BID: 105194 // JVNDB: JVNDB-2018-010695 // CNNVD: CNNVD-201809-111 // NVD: CVE-2018-8846

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-8846
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-8846
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201809-111
value: MEDIUM

Trust: 0.6

VULHUB: VHN-138878
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-8846
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-138878
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-8846
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-138878 // JVNDB: JVNDB-2018-010695 // CNNVD: CNNVD-201809-111 // NVD: CVE-2018-8846

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-138878 // JVNDB: JVNDB-2018-010695 // NVD: CVE-2018-8846

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-111

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201809-111

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-010695

PATCH
title:Philips e-Alert Unit Vulnerabilities (30-AUG-2018)url:https://www.usa.philips.com/healthcare/about/customer-support/product-security
Trust: 0.8
title:Philips e-Alert Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84472
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-010695 // 
            
            
            
            CNNVD: CNNVD-201809-111

EXTERNAL IDS
db:ICS CERTid:ICSA-18-242-01
Trust: 2.8
db:NVDid:CVE-2018-8846
Trust: 2.8
db:BIDid:105194
Trust: 2.0
db:JVNDBid:JVNDB-2018-010695
Trust: 0.8
db:CNNVDid:CNNVD-201809-111
Trust: 0.7
db:VULHUBid:VHN-138878
Trust: 0.1
sources:
            
            
            VULHUB: VHN-138878 // 
            
            
            
            BID: 105194 // 
            
            
            
            JVNDB: JVNDB-2018-010695 // 
            
            
            
            CNNVD: CNNVD-201809-111 // 
            
            
            
            NVD: CVE-2018-8846

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-242-01
Trust: 2.8
url:http://www.securityfocus.com/bid/105194
Trust: 1.7
url:https://www.usa.philips.com/healthcare/about/customer-support/product-security
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8846
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-8846
Trust: 0.8
sources:
            
            
            VULHUB: VHN-138878 // 
            
            
            
            BID: 105194 // 
            
            
            
            JVNDB: JVNDB-2018-010695 // 
            
            
            
            CNNVD: CNNVD-201809-111 // 
            
            
            
            NVD: CVE-2018-8846

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 105194

SOURCES
db:VULHUBid:VHN-138878
db:BIDid:105194
db:JVNDBid:JVNDB-2018-010695
db:CNNVDid:CNNVD-201809-111
db:NVDid:CVE-2018-8846

LAST UPDATE DATE
2024-11-23T22:26:12.954000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-138878date:2019-10-09T00:00:00
db:BIDid:105194date:2018-08-30T00:00:00
db:JVNDBid:JVNDB-2018-010695date:2018-12-20T00:00:00
db:CNNVDid:CNNVD-201809-111date:2019-10-17T00:00:00
db:NVDid:CVE-2018-8846date:2024-11-21T04:14:26.453

SOURCES RELEASE DATE
db:VULHUBid:VHN-138878date:2018-09-26T00:00:00
db:BIDid:105194date:2018-08-30T00:00:00
db:JVNDBid:JVNDB-2018-010695date:2018-12-20T00:00:00
db:CNNVDid:CNNVD-201809-111date:2018-09-04T00:00:00
db:NVDid:CVE-2018-8846date:2018-09-26T19:29:01.363