1. EXECUTIVE SUMMARY
- CVSS v3.1 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Baxter
- Equipment: Connex Health Portal
- Vulnerabilities: SQL Injection, Improper Access Control
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could lead to malicious code injection, shutdown of database service, or the ability to access, modify, or delete sensitive data from the database.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Baxter (formerly Hillrom and Welch Allyn) products are affected:
- Baxter Connex Health Portal: all versions prior to 8/30/2024
3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89
Due to improper sanitation of values of certain parameters, a remote, unauthenticated attacker could potentially run arbitrary SQL queries, access, modify and delete sensitive data and/or administrative operations including shutting down the database.
CVE-2024-6795 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
3.2.2 IMPROPER ACCESS CONTROL CWE-284
A vulnerability in the application could potentially lead to an unauthorized user gaining access to patient and clinician information, modifying or deleting clinic details.
CVE-2024-6796 has been as
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: