PT-2017-16603 · Eclinicalworks · Eclinicalworks Healow@Work

Published

2017-01-27

Updated

2017-02-01

CVE-2017-5598

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions eClinicalWorks healow@work version 8.0 build 8

Description A blind SQL injection issue was discovered, which can be exploited by un-authenticated users via an HTTP POST request to the EmployeePortalServlet page. The employer parameter is vulnerable. This can be used to dump database data to a malicious server using out-of-band techniques, such as select loadfile().

Recommendations For eClinicalWorks healow@work version 8.0 build 8, consider restricting access to the EmployeePortalServlet page until a patch is available. As a temporary workaround, avoid using the employer parameter in the affected page to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2017-5598

Affected Products

Eclinicalworks Healow@Work

PT-2017-16603 · Eclinicalworks · Eclinicalworks Healow@Work

CVE-2017-5598

Weakness Enumeration

Related Identifiers

Affected Products

References · 4