CVE-2018-5438

low-risk
Published 2018-03-20

Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information.

Do I need to act?

-
0.52% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.3/10 Medium
LOCAL / HIGH complexity

Affected Products (1)

Intellispace Cardiovascular

Affected Vendors

Philips

References (6)

Third Party Advisory http://www.securityfocus.com/bid/102847
Mitigation https://ics-cert.us-cert.gov/advisories/ICSMA-18-025-01
Mitigation https://www.usa.philips.com/healthcare/about/customer-support/product-security
Third Party Advisory http://www.securityfocus.com/bid/102847
Mitigation https://ics-cert.us-cert.gov/advisories/ICSMA-18-025-01
Mitigation https://www.usa.philips.com/healthcare/about/customer-support/product-security
23
/ 100
low-risk
Severity 16/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal