PT-2017-16604 · Eclinicalworks · Eclinicalworks Patient Portal

Published

2017-01-27

Updated

2017-02-01

CVE-2017-5599

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions eClinicalWorks Patient Portal version 7.0 build 13

Description A reflected Cross Site Scripting issue affects the raceMasterList.jsp page within the Patient Portal. The inserted payload is rendered within the Patient Portal, and since the raceMasterList.jsp page does not require authentication, it can be exploited to extract sensitive information or perform attacks against the user's browser. The issue specifically involves the race parameter.

Recommendations For eClinicalWorks Patient Portal version 7.0 build 13, consider restricting access to the raceMasterList.jsp page until a fix is available, and avoid using the race parameter in this page to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2017-5599

Affected Products

Eclinicalworks Patient Portal

PT-2017-16604 · Eclinicalworks · Eclinicalworks Patient Portal

CVE-2017-5599

Weakness Enumeration

Related Identifiers

Affected Products

References · 4