CVE Details for CVE: CVE-2015-6538
Summary
The login page in Epiphany Cardio Server 3.3, 4.0, and 4.1 mishandles authentication requests, which allows remote attackers to conduct LDAP injection attacks, and consequently bypass intended access restrictions, via a crafted URL.
| Timestamps | |
|---|---|
| Last major update | 28-12-2015 - 18:44 |
| Published | 27-12-2015 - 19:59 |
| Last modified | 28-12-2015 - 18:44 |
Vulnerable Configurations
-
cpe:2.3:a:ephiphanyheathdata:cardio_server:4.1:*:*:*:*:*:*:*
cpe:2.3:a:ephiphanyheathdata:cardio_server:4.1:*:*:*:*:*:*:*
-
cpe:2.3:a:ephiphanyheathdata:cardio_server:4.0:*:*:*:*:*:*:*
cpe:2.3:a:ephiphanyheathdata:cardio_server:4.0:*:*:*:*:*:*:*
-
cpe:2.3:a:ephiphanyheathdata:cardio_server:3.3:*:*:*:*:*:*:*
cpe:2.3:a:ephiphanyheathdata:cardio_server:3.3:*:*:*:*:*:*:*
CWE
CVSS
Base
7.5
Impact
6.4
Exploitability
10.0
Access
| Vector | Complexity | Authentication |
|---|---|---|
| NETWORK | LOW | NONE |
Impact
| Confidentiality | Integrity | Availability |
|---|---|---|
| PARTIAL | PARTIAL | PARTIAL |
CVSS3
Base
9.8
Impact
5.9
Exploitability
3.9
Access
| Attack Complexity | Attack vector | Privileges Required | Scope | User Interaction |
|---|---|---|---|---|
| LOW | NETWORK | NONE | UNCHANGED | NONE |
Impact
| Confidentiality | Integrity | Availability |
|---|---|---|
| HIGH | HIGH | HIGH |
VIA4 references
cvss-vector
via4
cvss3-vector
via4
refmap
via4
| cert-vn | VU#630239 |
| confirm | http://www.epiphanyhealthdata.com/blog/certresponse |