PatchSiren cyber security CVE debrief
CVE-2017-5599 Eclinicalworks CVE debrief
CVE-2017-5599 is a reflected cross-site scripting issue in eClinicalWorks Patient Portal 7.0 build 13. The vulnerable raceMasterList.jsp page does not require authentication, and input supplied through the race parameter can be rendered back into the portal. Because the payload is reflected in the browser context, an attacker could use it to target portal users, potentially exposing sensitive information or manipulating browser-side actions.
- Vendor
- Eclinicalworks
- Product
- CVE-2017-5599
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Security teams responsible for eClinicalWorks Patient Portal deployments, web application owners, and administrators who expose raceMasterList.jsp to the internet or broader internal networks should prioritize this issue. It also matters to anyone who relies on the portal for patient-facing workflows, since reflected XSS can affect logged-in users who visit a crafted link.
Technical summary
The NVD record maps this issue to CWE-79 and describes a reflected XSS condition in raceMasterList.jsp for eClinicalWorks Patient Portal 7.0 build 13. The affected page is reachable without authentication, and the race parameter is the injection point noted in the record. The NVD CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which reflects network reachability, no privileges required, and user interaction needed to trigger the browser-side impact.
Defensive priority
Medium. The CVSS base score is 6.1, and the unauthenticated nature of the vulnerable page increases exposure, especially if the portal is externally reachable.
Recommended defensive actions
- Identify all eClinicalWorks Patient Portal 7.0 build 13 instances and confirm whether raceMasterList.jsp is reachable.
- Treat the race parameter as untrusted input and verify that application output encoding or contextual sanitization is applied on the affected page.
- Apply vendor security updates or remediation guidance if available for the Patient Portal build in use.
- Restrict exposure of the patient portal to trusted networks where feasible until remediation is complete.
- Monitor for unusual portal traffic and user-reported browser pop-ups, redirects, or suspicious links involving raceMasterList.jsp.
- If compensating controls are needed, add web application firewall rules and server-side filtering specific to the affected endpoint while testing a permanent fix.
Evidence notes
The description in the supplied corpus states that this is a reflected XSS vulnerability affecting raceMasterList.jsp in eClinicalWorks Patient Portal 7.0 build 13, that the page does not require authentication, and that the race parameter is involved. The NVD metadata classifies the weakness as CWE-79 and lists CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. References in the record include a SecurityFocus BID entry and a third-party advisory gist; no direct vendor advisory was supplied in the corpus.
Official resources
-
CVE-2017-5599 CVE record
CVE.org
-
CVE-2017-5599 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
CVE published by NVD/CVE on 2017-01-27T10:59:00.193Z. The supplied NVD record was last modified on 2026-05-13T00:24:29.033Z. These dates describe record publication and update timing, not a separate incident date.