Moderate
C4G BLIS Improper Access Control
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
C4G BLIS Improper Access Control
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Computing For Good’s Basic Laboratory Information System (also known as C4G BLIS) version 3.5 and earlier suffers from an instance of CWE-284, “Improper Access Control.” As a result, an unauthenticated user may alter several facets of a user account, including promoting any user to an administrator.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityVery High
Technical Analysis
Authentication bypass on medical software in general is a big utility to both an attacker and a liability for medical professionals using the software.
Where is may be less applicable in utility is simply in where it is used. The list of labs that do use this software is listed straight on the software’s website which hopefully allowed them to communicate the importance of patching before this vulnerability was announced (and hopefully they applied additional compensating controls in the process): http://blis.cc.gatech.edu/index.php
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- gatech
Products
- computing for good's basic laboratory information system
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
