CVE-2017-5599 is a reflected cross-site scripting issue in eClinicalWorks Patient Portal 7.0 build 13. The vulnerable raceMasterList.jsp page does not require authentication, and input supplied through the race parameter can be rendered back into the portal. Because the payload is reflected in the browser context, an attacker could use it to target portal users, potentially exposing sensitive information [truncated]
CVE-2017-5598 describes an unauthenticated blind SQL injection in eClinicalWorks healow@work 8.0 build 8. The issue is exposed through the EmployeePortalServlet and can be triggered via HTTP POST requests against the employer parameter. NVD rates the flaw as network exploitable with no privileges or user interaction required and high confidentiality impact, making it a serious database exposure risk for a [truncated]
CVE-2017-5570 describes an authenticated blind SQL injection in eClinicalWorks Patient Portal 7.0 build 13, exposed through messageJson.jsp. According to the CVE record, the flaw can be triggered with an HTTP POST request and may be used to extract database data via out-of-band techniques. The recorded CVSS 3.0 score is 8.8 (HIGH), reflecting the potential for major impact once an attacker has valid access.
CVE-2017-5569 is a critical SQL injection flaw in eClinicalWorks Patient Portal 7.0 build 13. The issue is described as a blind SQL injection in template.jsp that can be triggered without authentication through an HTTP POST request. Because the flaw can be used with out-of-band techniques to pull database data to a malicious server, it presents a high-risk exposure for patient portal deployments.
