CyberSec.Space Logo
返回 CVE 浏览器

CVE-2017-11614

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1940%
EPSS Percentile6.58th
Published2017年7月25日
Last Modified2026年5月13日

Vulnerability Description

MEDHOST Connex contains hard-coded credentials that are used for customer database access. An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with the database may be able to obtain or modify sensitive patient and financial information. Connex utilizes an IBM i DB2 user account for database access. The account name is HMSCXPDN. Its password is hard-coded in multiple places in the application. Customers do not have the option to change this password. The account has elevated DB2 roles, and can access all objects or database tables on the customer DB2 database. This account can access data through ODBC, FTP, and TELNET. Customers without Connex installed are still vulnerable because the MEDHOST setup program creates this account.

Affected Platforms (CPE)

📦
Medhost

Connex

All versions

References & Advisories

🔗 http://seclists.org/fulldisclosure/2017/Jul/59
🔗 http://seclists.org/fulldisclosure/2017/Jul/59

相关漏洞威胁

CVE-2017-117439.8

MEDHOST Connex contains a hard-coded Mirth Connect admin credential that is used for customer Mirth Connect management access. An ...

CVE-2021-274109.8

The affected product is vulnerable to an out-of-bounds write, which may result in corruption of data or code execution on the Welc...

CVE-2021-274087.5

The affected product is vulnerable to an out-of-bounds read, which can cause information leakage leading to arbitrary code executi...

CVE-2017-1446910.0

An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Brad...