CVE-2023-40539

Philips Vue PACS does not require that users have strong passwords, which could make it easier for attackers to compromise user accounts.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.philips.com/productsecurity	Product
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-200-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:philips:vue_pacs:*:*:*:*:*:*:*:*

History

05 Sep 2024, 21:14

Type	Values Removed	Values Added
First Time		Philips Philips vue Pacs
CVSS	v2 : ~~unknown~~ v3 : ~~4.4~~	v2 : unknown v3 : 5.9
References	~~() http://www.philips.com/productsecurity -~~	() http://www.philips.com/productsecurity - Product
References	~~() https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-200-01 -~~	() https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-200-01 - Third Party Advisory, US Government Resource
CPE		cpe:2.3:a:philips:vue_pacs::::::::

19 Jul 2024, 13:01

Type	Values Removed	Values Added
Summary		(es) Philips Vue PACS no requiere que los usuarios tengan contraseñas seguras, lo que podría facilitar que los atacantes comprometan las cuentas de los usuarios.

18 Jul 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-18 17:15

Updated : 2024-09-05 21:14

NVD link : CVE-2023-40539

Mitre link : CVE-2023-40539

CVE.ORG link : CVE-2023-40539

JSON object : View

Products Affected

philips

vue_pacs

CWE

CWE-521

Weak Password Requirements

{"id": "CVE-2023-40539", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 4.8, "automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "LOW", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "LOW", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-07-18T17:15:03.553", "references": [{"url": "http://www.philips.com/productsecurity", "tags": ["Product"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-200-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-521"}]}], "descriptions": [{"lang": "en", "value": "Philips Vue PACS does not require that users have strong passwords, which could make it easier for attackers to compromise user accounts."}, {"lang": "es", "value": "Philips Vue PACS no requiere que los usuarios tengan contrase\u00f1as seguras, lo que podr\u00eda facilitar que los atacantes comprometan las cuentas de los usuarios."}], "lastModified": "2024-09-05T21:14:36.220", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:philips:vue_pacs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E3D16037-0684-4486-80A7-8EE98DD4E851", "versionEndExcluding": "12.2.8.410"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}