CVE-2018-18976

Name of the Vulnerable Software and Affected Versions Ascensia Contour NEXT ONE application for iOS and Android versions prior to 2019-01-15

Description The issue allows an attacker to retrieve encrypted medical information of any user of the Ascensia cloud platform by performing Direct Object References with a series of user id values. This information can be decrypted through a different issue.

Recommendations For versions prior to 2019-01-15, update to a version released after 2019-01-15 to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoint to minimize the risk of exploitation. Avoid using the user id parameter in the affected API endpoint until the issue is resolved.