CVE-2017-5598

Name of the Vulnerable Software and Affected Versions eClinicalWorks healow@work version 8.0 build 8

Description A blind SQL injection issue was discovered, which can be exploited by un-authenticated users via an HTTP POST request to the EmployeePortalServlet page. The employer parameter is vulnerable. This can be used to dump database data to a malicious server using out-of-band techniques, such as select loadfile().

Recommendations For eClinicalWorks healow@work version 8.0 build 8, consider restricting access to the EmployeePortalServlet page until a patch is available. As a temporary workaround, avoid using the employer parameter in the affected page to minimize the risk of exploitation.