CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
73.6%
MEDHOST Perioperative Information Management System (PIMS) versions prior to 2015R1 contain hard-coded credentials that are used for customer database access.
CWE-798: Use of Hard-coded Credentials - CVE-2016-4328
MEDHOST PIMS, previously branded as VPIMS, contains hard-coded credentials that are used for customer database access. An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with the application database server may be able to obtain or modify sensitive patient information.
An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with the application database server may be able to obtain or modify patient information.
Apply an upgrade
The vendor has addressed the use of hard-coded credentials in PIMS 2015R1 and newer versions. Administrators are encouraged to upgrade to the latest release.
Restrict network access
As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from using the hard-coded credentials from a blocked network location.
482135
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: March 17, 2016 Updated: May 16, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 8.3 | AV:A/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 6.9 | E:F/RL:OF/RC:C |
Environmental | 2.0 | CDP:LM/TD:L/CR:ND/IR:H/AR:H |
Thanks to Daniel Dunstedter for reporting this vulnerability.
This document was written by Joel Land.
CVE IDs: | CVE-2016-4328 |
---|---|
Date Public: | 2016-05-26 Date First Published: |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
73.6%