CVE-2021-23173 : Security Advisory and Response

This article discusses CVE-2021-23173, a vulnerability in Philips Engage Software that could allow an authenticated user to access sensitive data improperly.

Understanding CVE-2021-23173

CVE-2021-23173 is an improper access control vulnerability in Philips Engage Software that was reported by Parnassia and S-Unit to CISA.

What is CVE-2021-23173?

The vulnerability in Engage Software could permit an authenticated user to gain unauthorized access to sensitive data due to improper access control.

The Impact of CVE-2021-23173

The impact of this vulnerability is rated as low severity with a CVSS base score of 2.6. It requires low privileges and user interaction but has the potential for a high attack complexity.

Technical Details of CVE-2021-23173

CVE-2021-23173 has a CVSS score of 2.6/10 (Low) with a high attack complexity and network level attack vector.

Vulnerability Description

The vulnerability is caused by improper access control, allowing authenticated users to access sensitive data.

Affected Systems and Versions

The affected product is Engage Software by Philips, with versions prior to 6.2.1 being impacted.

Exploitation Mechanism

An authenticated user can exploit the vulnerability to gain unauthorized access to sensitive information.

Mitigation and Prevention

To mitigate CVE-2021-23173, Philips released and deployed an updated Version 6.2.2 in September 2021. Users of Engage Software are not required to take any immediate action.

Immediate Steps to Take

Users are advised to ensure they are running Engage Software Version 6.2.2 or later to prevent exploitation of this vulnerability.

Long-Term Security Practices

Regularly update software and ensure patches are applied promptly to prevent security vulnerabilities.

Patching and Updates

Stay informed about security updates and follow best practices to maintain a secure environment for Philips Engage Software users.