CVE-2017-5599

Name of the Vulnerable Software and Affected Versions eClinicalWorks Patient Portal version 7.0 build 13

Description A reflected Cross Site Scripting issue affects the raceMasterList.jsp page within the Patient Portal. The inserted payload is rendered within the Patient Portal, and since the raceMasterList.jsp page does not require authentication, it can be exploited to extract sensitive information or perform attacks against the user's browser. The issue specifically involves the race parameter.

Recommendations For eClinicalWorks Patient Portal version 7.0 build 13, consider restricting access to the raceMasterList.jsp page until a fix is available, and avoid using the race parameter in this page to minimize the risk of exploitation.