Philips Patient Monitoring Devices Improper Neutralization of Formula Elements in a CSV File
CVE-2020-16214

5MEDIUM

Key Information:

Vendor: Philips
Status: Patient Information Center Ix (picix)
Vendor: CVE Published:; 11 September 2020

Summary

In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the software saves user-provided information into a comma-separated value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software.

Affected Version(s)

Patient Information Center iX (PICiX) B.02

Patient Information Center iX (PICiX) C.02

Patient Information Center iX (PICiX) C.03

References

https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01

x_refsource_MISC

https://www.philips.com/productsecurity

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 11, 2020
Vulnerability Reserved
Jul 31, 2020

Credit

Julian Suleder, Nils Emmerich, Birk Kauer of ERNW Research GmbH, Dr. Oliver Matula of ERNW Enno, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices), which reported these to Philips.