Philips Patient Monitoring Devices Cross-site Scripting
CVE-2020-16218

3.5LOW

Key Information:

Vendor: Philips
Status: Patient Information Center Ix (picix)
Vendor: CVE Published:; 11 September 2020

Summary

In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Successful exploitation could lead to unauthorized access to patient data via a read-only web application.

Affected Version(s)

Patient Information Center iX (PICiX) B.02

Patient Information Center iX (PICiX) C.02

Patient Information Center iX (PICiX) C.03

References

https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01

x_refsource_MISC

https://www.philips.com/productsecurity

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 11, 2020
Vulnerability Reserved
Jul 31, 2020

Credit

Julian Suleder, Nils Emmerich, Birk Kauer of ERNW Research GmbH, Dr. Oliver Matula of ERNW Enno, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices), which reported these to Philips.