CVE-2017-5570

Name of the Vulnerable Software and Affected Versions eClinicalWorks Patient Portal version 7.0 build 13

Description A blind SQL injection issue was discovered, which can be exploited by authenticated users via an HTTP POST request to the "messageJson.jsp" endpoint. This can be used to dump database data to a malicious server using out-of-band techniques such as select loadfile().

Recommendations For eClinicalWorks Patient Portal version 7.0 build 13, consider restricting access to the "messageJson.jsp" endpoint until a patch is available. As a temporary workaround, limit the use of SQL queries within this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.