CVE-2021-3118

Name of the Vulnerable Software and Affected Versions EVOLUCARE ECSIMAGING (aka ECS Imaging) versions 6.21.5 and earlier

Description The issue affects the login form and the password-forgotten form, such as /req password user.php?email=, allowing an attacker to steal data in the database and obtain access to the application. The database component runs as root. This issue only affects products that are no longer supported by the maintainer.

Recommendations For EVOLUCARE ECSIMAGING versions 6.21.5 and earlier, consider disabling the login form and the password-forgotten form as a temporary workaround until a patch is available. Restrict access to the /req password user.php endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.