Sign-up

ID

VAR-202009-0318


CVE

CVE-2020-14506


TITLE

Philips Clinical Collaboration Platform cross-site request forgery vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-52882 // CNNVD: CNNVD-202009-1051

DESCRIPTION

Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly. Clinical Collaboration Platform Is vulnerable to several vulnerabilities: * Cross-site request forgery (CWE-352) - CVE-2020-14506 *Web Improperly invalidating scripts in page tag attributes (CWE-83) - CVE-2020-14525 * Malfunction of protection mechanism (CWE-693) - CVE-2020-16198 * Algorithm downgrade (CWE-757) - CVE-2020-16200 * Environmental setting (CWE-16) - CVE-2020-16247The expected impact depends on each vulnerability, but it may be affected as follows. * When a user who logs in to the product accesses a specially crafted page, he / she is forced to perform an unintended operation. - CVE-2020-14506 * Arbitrary script is executed by the user who logged in to the product - CVE-2020-14525 * Authentication is bypassed and unauthorized access is made by an adjacent third party - CVE-2020-16198 * Adjacent third parties cause resource exhaustion and disrupt service operations (DoS) Be in a state - CVE-2020-16200 * Unauthorized access to sensitive information by a third party - CVE-2020-16247. Attackers can use this vulnerability to conduct cross-site request forgery attacks

Trust: 2.25

sources: NVD: CVE-2020-14506 // JVNDB: JVNDB-2020-008764 // CNVD: CNVD-2020-52882 // VULHUB: VHN-167391

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-52882

AFFECTED PRODUCTS

vendor:philipsmodel:clinical collaboration platformscope:lteversion:12.2.1

Trust: 1.0

vendor:philipsmodel:clinical collaboration platformscope:eqversion:12.2.1

Trust: 0.8

vendor:philipsmodel:clinical collaboration platformscope:lteversion:<=12.2.1

Trust: 0.6

sources: CNVD: CNVD-2020-52882 // JVNDB: JVNDB-2020-008764 // NVD: CVE-2020-14506

CVSS

SEVERITY

CVSSV2

CVSSV3

IPA: JVNDB-2020-008764
value: MEDIUM

Trust: 2.4

IPA: JVNDB-2020-008764
value: LOW

Trust: 1.6

nvd@nist.gov: CVE-2020-14506
value: MEDIUM

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2020-14506
value: LOW

Trust: 1.0

CNVD: CNVD-2020-52882
value: LOW

Trust: 0.6

CNNVD: CNNVD-202009-1051
value: MEDIUM

Trust: 0.6

VULHUB: VHN-167391
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-14506
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2020-52882
severity: LOW
baseScore: 3.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-167391
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-14506
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2020-14506
baseSeverity: LOW
baseScore: 3.4
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 0.8
impactScore: 2.5
version: 3.1

Trust: 1.0

IPA score: JVNDB-2020-008764
baseSeverity: LOW
baseScore: 3.4
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

IPA score: JVNDB-2020-008764
baseSeverity: LOW
baseScore: 3.5
vectorString: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

IPA score: JVNDB-2020-008764
baseSeverity: MEDIUM
baseScore: 5.0
vectorString: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: ADJACENT NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

IPA score: JVNDB-2020-008764
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

IPA score: JVNDB-2020-008764
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-52882 // VULHUB: VHN-167391 // JVNDB: JVNDB-2020-008764 // JVNDB: JVNDB-2020-008764 // JVNDB: JVNDB-2020-008764 // JVNDB: JVNDB-2020-008764 // JVNDB: JVNDB-2020-008764 // CNNVD: CNNVD-202009-1051 // NVD: CVE-2020-14506 // NVD: CVE-2020-14506

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.1

sources: VULHUB: VHN-167391 // NVD: CVE-2020-14506

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-1051

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202009-1051

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-008764

PATCH
title:Product Security url:https://www.usa.philips.com/healthcare/about/customer-support/product-security
Trust: 0.8
title:Patch for Philips Clinical Collaboration Platform cross-site request forgery vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/234892
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-52882 // 
            
            
            
            JVNDB: JVNDB-2020-008764

EXTERNAL IDS
db:ICS CERTid:ICSMA-20-261-01
Trust: 3.1
db:NVDid:CVE-2020-14506
Trust: 3.1
db:JVNid:JVNVU94803567
Trust: 0.8
db:JVNDBid:JVNDB-2020-008764
Trust: 0.8
db:CNVDid:CNVD-2020-52882
Trust: 0.7
db:AUSCERTid:ESB-2020.3220
Trust: 0.6
db:CNNVDid:CNNVD-202009-1051
Trust: 0.6
db:VULHUBid:VHN-167391
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-52882 // 
            
            
            
            VULHUB: VHN-167391 // 
            
            
            
            JVNDB: JVNDB-2020-008764 // 
            
            
            
            CNNVD: CNNVD-202009-1051 // 
            
            
            
            NVD: CVE-2020-14506

REFERENCES
url:https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01
Trust: 3.7
url:https://www.philips.com/a-w/security/security-advisories/product-security-2020.html#2020_archive
Trust: 1.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-16200
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-16247
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-14506
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-14525
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-16198
Trust: 0.8
url:https://jvn.jp/vu/jvnvu94803567
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-14506
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.3220/
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-52882 // 
            
            
            
            VULHUB: VHN-167391 // 
            
            
            
            JVNDB: JVNDB-2020-008764 // 
            
            
            
            CNNVD: CNNVD-202009-1051 // 
            
            
            
            NVD: CVE-2020-14506

SOURCES
db:CNVDid:CNVD-2020-52882
db:VULHUBid:VHN-167391
db:JVNDBid:JVNDB-2020-008764
db:CNNVDid:CNNVD-202009-1051
db:NVDid:CVE-2020-14506

LAST UPDATE DATE
2025-06-05T23:07:39.545000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-52882date:2020-09-19T00:00:00
db:VULHUBid:VHN-167391date:2020-09-25T00:00:00
db:JVNDBid:JVNDB-2020-008764date:2020-09-24T00:00:00
db:CNNVDid:CNNVD-202009-1051date:2020-09-27T00:00:00
db:NVDid:CVE-2020-14506date:2025-06-04T20:15:21.540

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-52882date:2020-09-19T00:00:00
db:VULHUBid:VHN-167391date:2020-09-18T00:00:00
db:JVNDBid:JVNDB-2020-008764date:2020-09-24T00:00:00
db:CNNVDid:CNNVD-202009-1051date:2020-09-17T00:00:00
db:NVDid:CVE-2020-14506date:2020-09-18T18:15:16.583