PT-2021-21264 · Cerner · Cerner Mobile Care

Published

2021-08-24

Updated

2021-08-31

CVE-2021-36385

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Cerner Mobile Care version 5.0.0

Description A SQL Injection issue allows remote unauthenticated attackers to execute arbitrary SQL commands via a Fullwidth Apostrophe (aka U+FF07) in the User ID field of the "default.aspx" page. This can lead to the execution of arbitrary system commands through the use of xp cmdshell.

Recommendations For Cerner Mobile Care version 5.0.0, consider restricting access to the default.aspx page or disabling the use of the User ID field until a patch is available. As a temporary workaround, avoid using the User ID field with special characters like the Fullwidth Apostrophe (U+FF07) to minimize the risk of exploitation.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2021-36385

Affected Products

Cerner Mobile Care

PT-2021-21264 · Cerner · Cerner Mobile Care

CVE-2021-36385

Weakness Enumeration

Related Identifiers

Affected Products

References · 7