发布时间 :2018-04-24 11:29:00
修订时间 :2018-06-05 14:05:28

[原文]The backend database of the Philips DoseWise Portal application versions and uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI. CVSS v3 base score: 9.1, CVSS vector string: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.



- CVSS (基础分值)

CVSS分值: 6.5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]

- CWE (弱点类目)

CWE-798 [使用硬编码的凭证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD

- 其它链接及资源

- 漏洞信息

Philips DoseWise Portal ICSMA-17-229-01 Security Bypass and Information Disclosure Vulnerabilities
Access Validation Error 100471
Yes No
2017-08-17 12:00:00 2017-08-17 12:00:00
The vendor reported this issue.

- 受影响的程序版本

Philips DoseWise Portal
Philips DoseWise Portal

- 漏洞讨论

Philips DoseWise Portal is prone to a security-bypass vulnerability and an information-disclosure vulnerability.

Attackers can exploit this issue to obtain sensitive information or bypass the authentication mechanism and gain unauthorized access to the device.

DoseWise Portal and are vulnerable.

- 漏洞利用

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at:

- 解决方案

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at:

- 相关参考