CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8846
https://notcve.org/view.php?id=CVE-2018-8846
Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is then served to other users. Philips e-Alert Unit (dispositivo no médico), versiones R2.1 y anteriores. El software no neutraliza (o lo hace incorrectamente) las entradas controlables por el usuario antes de colocarlas en las salidas que se emplean como página web y luego se sirven a otros usuarios. • http://www.securityfocus.com/bid/105194 https://ics-cert.us-cert.gov/advisories/ICSA-18-242-01 https://www.usa.philips.com/healthcare/about/customer-support/product-security • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8850
https://notcve.org/view.php?id=CVE-2018-8850
Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The software does not validate input properly, allowing an attacker to craft the input in a form that is not expected by the rest of the application. This would lead to parts of the unit receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution. Philips e-Alert Unit (dispositivo no médico), versiones R2.1 y anteriores. El software no valida correctamente las entradas, lo que permite que un atacante manipule las entradas de forma no esperada por el resto de la aplicación. • http://www.securityfocus.com/bid/105194 https://ics-cert.us-cert.gov/advisories/ICSA-18-242-01 https://www.usa.philips.com/healthcare/about/customer-support/product-security • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8852
https://notcve.org/view.php?id=CVE-2018-8852
Philips e-Alert Unit (non-medical device), Version R2.1 and prior. When authenticating a user or otherwise establishing a new user session, the software gives an attacker the opportunity to steal authenticated sessions without invalidating any existing session identifier. Philips e-Alert Unit (dispositivo no médico), versiones R2.1 y anteriores. Al autenticar a un usuario o establecer una nueva sesión de usuario, el software proporciona al atacante la oportunidad de robar sesiones autenticadas sin invalidar cualquier identificador de sesión existente. • http://www.securityfocus.com/bid/105194 https://ics-cert.us-cert.gov/advisories/ICSA-18-242-01 https://www.usa.philips.com/healthcare/about/customer-support/product-security • CWE-384: Session Fixation •
CVSS: 7.2EPSS: 0%CPEs: 10EXPL: 0CVE-2018-14801
https://notcve.org/view.php?id=CVE-2018-14801
In Philips PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs, all versions prior to May 2018, an attacker with both the superuser password and physical access can enter the superuser password that can be used to access and modify all settings on the device, as well as allow the user to reset existing passwords. En PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs de Philips, en todas las versiones anteriores a mayo de 2018, un atacante con contraseña de superusuario y acceso físico puede introducir dicha contraseña de superusuario que se puede usar acceder y modificar toda la configuración del dispositivo, así como permitir que el usuario reinicie las contraseñas existentes. • http://www.securityfocus.com/bid/105103 https://ics-cert.us-cert.gov/advisories/ICSMA-18-228-01 https://www.usa.philips.com/healthcare/about/customer-support/product-security • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-14787
https://notcve.org/view.php?id=CVE-2018-14787
In Philips' IntelliSpace Cardiovascular (ISCV) products (ISCV Version 2.x or prior and Xcelera Version 4.1 or prior), an attacker with escalated privileges could access folders which contain executables where authenticated users have write permissions, and could then execute arbitrary code with local administrative permissions. En los productos IntelliSpace Cardiovascular (ISCV) de Phillips (ISCV en versiones 2.x o anteriores y Xcelera en versiones 4.1 y anteriores), un atacante con privilegios escalados podría acceder a carpetas que contengan ejecutables en donde los usuarios autenticados tienen permisos de escritura, pudiendo entonces ejecutar código arbitrario con permisos de administrador local. • https://ics-cert.us-cert.gov/advisories/ICSMA-18-226-01 https://www.usa.philips.com/healthcare/about/customer-support/product-security • CWE-269: Improper Privilege Management •