Vulnerability Note VU#630239
Epiphany Cardio Server is vulnerable to SQL and LDAP injection
The Epiphany Cardio Server is vulnerable to SQL injection and LDAP injection, allowing an unauthenticated attacker to gain administrator rights.
Epiphany Cardio Server was reported as being vulnerable to the following issues:
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2015-6537
An attacker on the local network may be able to bypass authentication, and access and modify patient information.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Epiphany Healthcare||Affected||14 Oct 2015||09 Dec 2015|
CVSS Metrics (Learn More)
Thanks to Alex Lauerman of TrustFoundry for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2015-6537 CVE-2015-6538
- Date Public: 30 Nov 2015
- Date First Published: 01 Dec 2015
- Date Last Updated: 09 Dec 2015
- Document Revision: 34
If you have feedback, comments, or additional information about this vulnerability, please send us email.