Vulnerability Details : CVE-2015-6538
The login page in Epiphany Cardio Server 3.3, 4.0, and 4.1 mishandles authentication requests, which allows remote attackers to conduct LDAP injection attacks, and consequently bypass intended access restrictions, via a crafted URL.
Products affected by CVE-2015-6538
- cpe:2.3:a:ephiphanyheathdata:cardio_server:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:ephiphanyheathdata:cardio_server:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:ephiphanyheathdata:cardio_server:3.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-6538
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-6538
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
References for CVE-2015-6538
-
http://www.epiphanyhealthdata.com/blog/certresponse
Epiphany's CERT Response – 8 December 2015Vendor Advisory
-
https://www.kb.cert.org/vuls/id/630239
VU#630239 - Epiphany Cardio Server is vulnerable to SQL and LDAP injectionThird Party Advisory;US Government Resource
Jump to