cbcvebase.
CVE-2015-4592
published 2017-01-10

CVE-2015-4592: eClinicalWorks Population Health (CCMR) suffers from an SQL injection vulnerability in portalUserService.jsp which allows remote authenticated users to inject…

PriorityP262high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.35%
87.2th percentile
eClinicalWorks Population Health (CCMR) suffers from an SQL injection vulnerability in portalUserService.jsp which allows remote authenticated users to inject arbitrary malicious database commands as part of user input.

Detection & IOCsextracted from sources · hover to see the quote

path/mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp
commandaction=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=&zipcode=&[email protected]';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=
  • Monitor POST requests to portalUserService.jsp for SQL injection patterns in the 'uemail' parameter, specifically stacked queries using semicolons and WAITFOR DELAY (time-based blind SQLi against Microsoft SQL Server/Sybase).
  • Requests to portalUserService.jsp will include the header 'X-Requested-With: XMLHttpRequest' and Content-Type 'application/x-www-form-urlencoded'; flag POST requests to this endpoint containing SQL metacharacters (e.g., single quotes, double-dashes) in the uemail field.
  • The exploit uses Firefox 38 on Windows NT 6.1 (WOW64) as the User-Agent; correlate this UA with suspicious POST requests to the vulnerable endpoint.
  • The Referer header in exploitation attempts points to dashBoard.jsp; use this in combination with the POST target to correlate attack sessions.
  • ·The SQL injection is exploitable only by remote authenticated users; unauthenticated access to the vulnerable endpoint is not sufficient to trigger the vulnerability.
  • ·The backend database is Microsoft SQL Server or Sybase; the stacked-query WAITFOR DELAY technique is specific to these platforms and will not work against other database engines.
  • ·The application is also vulnerable to session fixation (CVE-2015-4594): it does not assign a new session ID upon authentication, meaning an attacker can pre-set a session ID and hijack it post-login — this may lower the bar for exploiting the authenticated SQLi.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.