// For flags

CVE-2017-9656

 

Severity Score

9.1
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The backend database of the Philips DoseWise Portal application versions 1.1.7.333 and 2.1.1.3069 uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI. CVSS v3 base score: 9.1, CVSS vector string: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

La base de datos del backend de la aplicación Philips DoseWise Portal, en sus versiones 1.1.7.333 y 2.1.1.3069, emplea credenciales embebidas para una cuenta de la base de datos con privilegios que puede afectar a la confidencialidad, integridad y disponibilidad de la base de datos. Para que un atacante explote esta vulnerabilidad, primero necesita privilegios elevados para poder acceder a los archivos del sistema del backend de la aplicación web que contienen las credenciales embebidas. Si se explota esta vulnerabilidad con éxito, un atacante remoto podría obtener acceso a la base de datos de la aplicación DWP, que contiene PHI. Puntuación base de CVSS v3: 9.1, cadena de vector CVSS: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-06-14 CVE Reserved
  • 2018-04-24 CVE Published
  • 2024-02-08 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-798: Use of Hard-coded Credentials
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Philips
Search vendor "Philips"
 Dosewise
Search vendor "Philips" for product "Dosewise"
 1.1.7.333
Search vendor "Philips" for product "Dosewise" and version "1.1.7.333"
-
Affected
Philips
Search vendor "Philips"
 Dosewise
Search vendor "Philips" for product "Dosewise"
 2.1.1.3069
Search vendor "Philips" for product "Dosewise" and version "2.1.1.3069"
-
Affected