CVE-2024-50593
Hardcoded Service Password
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An attacker with local access to the medical office computer can
access restricted functions of the Elefant Service tool by using a
hard-coded "Hotline" password in the Elefant service binary, which is shipped with the software.
Un atacante con acceso local a el ordenador del consultorio médico puede acceder a funciones restringidas de la herramienta de servicio Elefant mediante el uso de una contraseña de "línea directa" codificada en el binario del servicio Elefant, que se envía con el software.
HASOMED Elefant versions prior to 24.04.00 and Elefant Software Updater versions prior to 1.4.2.1811 suffer from having an unprotected exposed firebird database, unprotected FHIR API, multiple local privilege escalation, and hardcoded service password vulnerabilities.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-10-25 CVE Reserved
- 2024-11-08 CVE Published
- 2024-11-08 CVE Updated
- 2024-11-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-798: Use of Hard-coded Credentials
CAPEC
- CAPEC-191: Read Sensitive Constants Within an Executable
References (2)
URL | Tag | Source |
---|---|---|
https://r.sec-consult.com/hasomed | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://hasomed.de/produkte/elefant | 2024-11-08 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
- | - | - | - | - |