Vulnerability-Lookup

CNVD-2016-00882

Vulnerability from cnvd - Published: 2016-02-15

Title

EClinicalWorks Population Health Client Portal SQL注入漏洞

Description

EClinicalWorks Population Health是美国EClinicalWorks公司的一套人口健康解决方案，它提供仪表板分析、患者预约、护理计划和患者转诊安全网络等功能。Client Portal是其中的一个门户网站。 EClinicalWorks Population Health Client Portal的portalUserService.jsp脚本中SQL注入漏洞，允许远程攻击者利用漏洞提交特制的SQL查询，操作或获取数据库数据。

Severity

高

Formal description

目前没有详细的解决方案提供： https://www.eclinicalworks.com/

Reference

http://www.securityfocus.com/bid/82296

Impacted products

Name
EClinicalWorks Population Health Client Portal

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "82296"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-4592"
    }
  },
  "description": "EClinicalWorks Population Health\u662f\u7f8e\u56fdEClinicalWorks\u516c\u53f8\u7684\u4e00\u5957\u4eba\u53e3\u5065\u5eb7\u89e3\u51b3\u65b9\u6848\uff0c\u5b83\u63d0\u4f9b\u4eea\u8868\u677f\u5206\u6790\u3001\u60a3\u8005\u9884\u7ea6\u3001\u62a4\u7406\u8ba1\u5212\u548c\u60a3\u8005\u8f6c\u8bca\u5b89\u5168\u7f51\u7edc\u7b49\u529f\u80fd\u3002Client Portal\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u95e8\u6237\u7f51\u7ad9\u3002\r\n\r\nEClinicalWorks Population Health Client Portal\u7684portalUserService.jsp\u811a\u672c\u4e2dSQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u63d0\u4ea4\u7279\u5236\u7684SQL\u67e5\u8be2\uff0c\u64cd\u4f5c\u6216\u83b7\u53d6\u6570\u636e\u5e93\u6570\u636e\u3002",
  "discovererName": "Jerold Hoong.",
  "formalWay": "\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\uff1a\r\nhttps://www.eclinicalworks.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-00882",
  "openTime": "2016-02-15",
  "products": {
    "product": "EClinicalWorks Population Health Client Portal"
  },
  "referenceLink": "http://www.securityfocus.com/bid/82296",
  "serverity": "\u9ad8",
  "submitTime": "2016-02-08",
  "title": "EClinicalWorks Population Health Client Portal SQL\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2015-4592 (GCVE-0-2015-4592)

Vulnerability from cvelistv5 – Published: 2017-01-10 15:00 – Updated: 2024-08-06 06:18

Summary

eClinicalWorks Population Health (CCMR) suffers from an SQL injection vulnerability in portalUserService.jsp which allows remote authenticated users to inject arbitrary malicious database commands as part of user input.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

3 references

URL	Tags
https://www.exploit-db.com/exploits/39402/	exploitx_refsource_EXPLOIT-DB
http://www.securityfocus.com/archive/1/537420/100…	mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/135533/eClin…	x_refsource_MISC

Date Public

2016-01-31 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:18:11.956Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "39402",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/39402/"
          },
          {
            "name": "20160131 eClinicalWorks (CCMR) - Multiple Vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/537420/100/0/threaded"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/135533/eClinicalWorks-Population-Health-CCMR-SQL-Injection-CSRF-XSS.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-01-31T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "eClinicalWorks Population Health (CCMR) suffers from an SQL injection vulnerability in portalUserService.jsp which allows remote authenticated users to inject arbitrary malicious database commands as part of user input."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T18:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "39402",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/39402/"
        },
        {
          "name": "20160131 eClinicalWorks (CCMR) - Multiple Vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/537420/100/0/threaded"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/135533/eClinicalWorks-Population-Health-CCMR-SQL-Injection-CSRF-XSS.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-4592",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "eClinicalWorks Population Health (CCMR) suffers from an SQL injection vulnerability in portalUserService.jsp which allows remote authenticated users to inject arbitrary malicious database commands as part of user input."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "39402",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/39402/"
            },
            {
              "name": "20160131 eClinicalWorks (CCMR) - Multiple Vulnerabilities",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/537420/100/0/threaded"
            },
            {
              "name": "http://packetstormsecurity.com/files/135533/eClinicalWorks-Population-Health-CCMR-SQL-Injection-CSRF-XSS.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/135533/eClinicalWorks-Population-Health-CCMR-SQL-Injection-CSRF-XSS.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-4592",
    "datePublished": "2017-01-10T15:00:00.000Z",
    "dateReserved": "2015-06-16T00:00:00.000Z",
    "dateUpdated": "2024-08-06T06:18:11.956Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2016-00882

CVE-2015-4592 (GCVE-0-2015-4592)

Tags

Sightings

Nomenclature