A defibrillator management platform was riddled with vulnerabilities including a remote command execution flaw that could seemingly be invoked by uploading an Excel spreadsheet to the platform.
Or so warned the US's Cybersecurity and Infrastructure Security Agency, which said the Defibrillator Dashboard software, made by medical devices firm Zoll, contained six flaws in total, the combined effect of which could present an infosec Swiss cheese for malicious people to exploit.
As well as allowing low-privileged users to upload files that the dashboard software would then execute, it was saving user credentials in plaintext, stored passwords in "a recoverable format" permitting their extraction from web browsers, and was also vulnerable to cross-site scripting (XSS) attacks.
Rated at 9.9 on the CVSS v3.0 severity scale, the file upload vuln (CVE-2021-27489) could ..
Support the originator by clicking the read the rest link below.
