An issue was discovered on Cerner Connectivity Engine (CCE) 4 devices. The user running the main CCE firmware has NOPASSWD sudo privileges to several utilities that could be used to escalate privileges to root. One example is the "sudo ln -s /tmp/script /etc/cron.hourly/script" command.
7.8CVSS
7.7AI Score
0.0004EPSS
An issue was discovered on Cerner Connectivity Engine (CCE) 4 devices. The hostname, timezone, and NTP server configurations on the CCE device are vulnerable to command injection by sending a crafted configuration file over the network.
9.8CVSS
9.5AI Score
0.006EPSS
8.8CVSS
8.7AI Score
0.001EPSS
8.8CVSS
8.6AI Score
0.001EPSS
8.8CVSS
8.6AI Score
0.001EPSS
8.8CVSS
8.6AI Score
0.001EPSS
A SQL Injection vulnerability in Cerner Mobile Care 5.0.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via a Fullwidth Apostrophe (aka U+FF07) in the default.aspx User ID field. Arbitrary system commands can be executed through the use of xp_cmdshell.
9.8CVSS
9.9AI Score
0.002EPSS