CVE-2016-6272
published 2018-02-20CVE-2016-6272: XPath injection vulnerability in Epic MyChart allows remote attackers to access contents of an XML document containing static display strings, such as field…
PriorityP264high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
21.25%
97.3th percentile
XPath injection vulnerability in Epic MyChart allows remote attackers to access contents of an XML document containing static display strings, such as field labels, via the topic parameter to help.asp. NOTE: this was originally reported as a SQL injection vulnerability, but this may be inaccurate.
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*8 OR "000OxPf"="000OxPf↗
- →Monitor HTTP requests to /mychart/help.asp where the 'topic' query parameter contains XPath injection patterns such as quote characters ("), boolean logic keywords (AND, OR), or arithmetic expressions (e.g., 2*3*8=6*8), which are characteristic of blind XPath injection probing. ↗
- →Look for the caret (^) delimiter pattern in the topic parameter (e.g., COMPONENT^COOKIEENABLE) combined with injected boolean or arithmetic expressions, as this is the specific payload structure used in exploitation. ↗
- →Use the Google dork 'MyChart® licensed from Epic Systems Corporation' to identify publicly exposed MyChart instances that may be vulnerable. ↗
- ·The vulnerability was originally misclassified as SQL injection; it is actually an XPath injection. Detection rules targeting SQL injection patterns alone may miss this attack vector. ↗
- ·The XPath injection only exposes static XML display strings (e.g., field labels), not dynamic patient data or database records. Impact scope should be assessed accordingly. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-02-20
Published