Overview
MEDHOST Perioperative Information Management System (PIMS) versions prior to 2015R1 contain hard-coded credentials that are used for customer database access.
Description
CWE-798: Use of Hard-coded Credentials - CVE-2016-4328 MEDHOST PIMS, previously branded as VPIMS, contains hard-coded credentials that are used for customer database access. An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with the application database server may be able to obtain or modify sensitive patient information. |
Impact
An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with the application database server may be able to obtain or modify patient information. |
Solution
Apply an upgrade |
Restrict network access |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 8.3 | AV:A/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 6.9 | E:F/RL:OF/RC:C |
| Environmental | 2.0 | CDP:LM/TD:L/CR:ND/IR:H/AR:H |
References
Acknowledgements
Thanks to Daniel Dunstedter for reporting this vulnerability.
This document was written by Joel Land.
Other Information
| CVE IDs: | CVE-2016-4328 |
| Date Public: | 2016-05-26 |
| Date First Published: | 2016-05-26 |
| Date Last Updated: | 2016-05-26 17:37 UTC |
| Document Revision: | 13 |