{ "document": { "acknowledgments": [ { "organization": "Northridge Hospital Medical Center", "summary": "reporting these vulnerabilities to Philips" } ], "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Disclosure is not limited", "tlp": { "label": "WHITE" } }, "lang": "en-US", "notes": [ { "category": "general", "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov", "title": "CISA Disclaimer" }, { "category": "summary", "text": "Northridge Hospital Medical Center reported these vulnerabilities to Philips.", "title": "Summary" }, { "category": "other", "text": "No known public exploits specifically target this these vulnerabilities. These vulnerabilities are not exploitable remotely.", "title": "Exploitability" } ], "publisher": { "category": "coordinator", "contact_details": "CISAservicedesk@cisa.dhs.gov", "name": "CISA", "namespace": "https://www.cisa.gov/" }, "references": [ { "category": "self", "summary": "ICS Advisory ICSMA-20-261-01 JSON", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsma-20-261-01.json" }, { "category": "self", "summary": "ICS Advisory ICSMA-20-261-01 Web Version", "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-261-01" } ], "title": "ICSMA-20-261-01_Philips Clinical Collaboration Platform", "tracking": { "current_release_date": "2020-09-17T00:00:00.000000Z", "generator": { "engine": { "name": "CISA USCert CSAF Generator", "version": "1" } }, "id": "ICSMA-20-261-01", "initial_release_date": "2020-09-17T00:00:00.000000Z", "revision_history": [ { "date": "2020-09-17T00:00:00.000000Z", "legacy_version": "Initial", "number": "1", "summary": "ICSMA-20-261-01 Philips Clinical Collaboration Platform" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "<= 12.2.1", "product": { "name": "Clinical Collaboration Platform: Versions 12.2.1 and prior", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "Clinical Collaboration Platform" } ], "category": "vendor", "name": "Philips" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-14506", "cwe": { "id": "CWE-668", "name": "Exposure of Resource to Wrong Sphere" }, "notes": [ { "category": "summary", "text": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly.CVE-2020-14506 has been assigned to this vulnerability. A CVSS v3 base score of 3.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Philips Clinical Collaboration Platform Version 12.2.5 was released in May 2020 to remediate CWE-16, CWE-352, CWE-83, and CWE-693. Philips requires manual intervention to remediate CWE-757.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-14506" }, { "cve": "CVE-2020-14525", "cwe": { "id": "CWE-668", "name": "Exposure of Resource to Wrong Sphere" }, "notes": [ { "category": "summary", "text": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a webpage that is served to other users.CVE-2020-14525 has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Philips Clinical Collaboration Platform Version 12.2.5 was released in May 2020 to remediate CWE-16, CWE-352, CWE-83, and CWE-693. Philips requires manual intervention to remediate CWE-757.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-14525" }, { "cve": "CVE-2020-16198", "cwe": { "id": "CWE-668", "name": "Exposure of Resource to Wrong Sphere" }, "notes": [ { "category": "summary", "text": "When an attacker claims to have a given identity, the software does not prove or insufficiently proves the claim is correct.CVE-2020-16198 has been assigned to this vulnerability. A CVSS v3 base score of 5.0 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "remediations": [ { "category": "mitigation", "details": "Philips Clinical Collaboration Platform Version 12.2.5 was released in May 2020 to remediate CWE-16, CWE-352, CWE-83, and CWE-693. Philips requires manual intervention to remediate CWE-757.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.0, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-16198" }, { "cve": "CVE-2020-16200", "cwe": { "id": "CWE-668", "name": "Exposure of Resource to Wrong Sphere" }, "notes": [ { "category": "summary", "text": "The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an attacker to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.CVE-2020-16200 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "remediations": [ { "category": "mitigation", "details": "Philips Clinical Collaboration Platform Version 12.2.5 was released in May 2020 to remediate CWE-16, CWE-352, CWE-83, and CWE-693. Philips requires manual intervention to remediate CWE-757.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-16200" }, { "cve": "CVE-2020-16247", "cwe": { "id": "CWE-668", "name": "Exposure of Resource to Wrong Sphere" }, "notes": [ { "category": "summary", "text": "The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.CVE-2020-16247 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" } ], "remediations": [ { "category": "mitigation", "details": "Philips Clinical Collaboration Platform Version 12.2.5 was released in May 2020 to remediate CWE-16, CWE-352, CWE-83, and CWE-693. Philips requires manual intervention to remediate CWE-757.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-16247" } ] }