Birk Kauer

**Name of the Vulnerable Software and Affected Versions** B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier B. Braun Melsungen AG Data module compactplus versions A10 and A11 **Description** A relative path traversal attack allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file, an attacker can execute arbitrary commands. **Recommendations** For B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier, restrict access to file upload functionality until a fix is available. For B. Braun Melsungen AG Data module compactplus versions A10 and A11, consider disabling the file upload feature to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier B. Braun Melsungen AG Data module compactplus versions A10 and A11 **Description** A vulnerability allows attackers to recover user credentials of the administrative interface. **Recommendations** For B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier, update to a version later than L81/U61 to resolve the issue. For B. Braun Melsungen AG Data module compactplus versions A10 and A11, update to a version later than A11 to resolve the issue. As a temporary workaround, consider restricting access to the administrative interface until a patch is available.

**Name of the Vulnerable Software and Affected Versions** B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier B. Braun Melsungen AG Data module compactplus versions A10 and A11 **Description** A XPath injection issue allows unauthenticated remote attackers to access sensitive information and escalate privileges. **Recommendations** For B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier, update to a version later than L81/U61 to resolve the issue. For B. Braun Melsungen AG Data module compactplus versions A10 and A11, update to a version later than A11 to resolve the issue. As a temporary workaround, consider restricting access to sensitive information and privileges until a patch is available.

**Name of the Vulnerable Software and Affected Versions** B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier B. Braun Melsungen AG Data module compactplus versions A10 and A11 **Description** The issue is related to improper access controls, allowing attackers to extract and tamper with the device's network configuration. **Recommendations** For B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier, restrict access to the network configuration to minimize the risk of exploitation. For B. Braun Melsungen AG Data module compactplus versions A10 and A11, consider implementing additional security measures to prevent unauthorized access to the device's network configuration. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SOOIL Developments Co., Ltd Diabecare RS (affected versions not specified) AnyDana-i (affected versions not specified) AnyDana-A (affected versions not specified) Description: The communication protocol of the insulin pump and its mobile applications uses deterministic keys, allowing unauthenticated, physically proximate attackers to brute-force the keys via Bluetooth Low Energy. Recommendations: For SOOIL Developments Co., Ltd Diabecare RS, consider restricting Bluetooth Low Energy access to minimize the risk of exploitation. For AnyDana-i, restrict access to the mobile application's communication protocol until a patch is available. For AnyDana-A, avoid using the deterministic keys in the communication protocol until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Diabecare RS (affected versions not specified) AnyDana-i (affected versions not specified) AnyDana-A (affected versions not specified) Description: A client-side control issue in the insulin pump and its mobile applications allows physically proximate attackers to bypass user authentication checks via Bluetooth Low Energy. This affects the Diabecare RS, AnyDana-i, and AnyDana-A products. Recommendations: For Diabecare RS, consider disabling Bluetooth Low Energy connectivity until a patch is available. For AnyDana-i, restrict access to the mobile application's authentication features to minimize the risk of exploitation. For AnyDana-A, avoid using the device in areas where physically proximate attackers could bypass user authentication checks via Bluetooth Low Energy until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Diabecare RS (affected versions not specified) AnyDana-i (affected versions not specified) AnyDana-A (affected versions not specified) Description: A client-side control issue in the insulin pump and its mobile applications allows physically proximate attackers to bypass checks for default PINs via Bluetooth Low Energy. This could potentially affect a significant number of devices, although the exact number is not specified. Recommendations: For Diabecare RS, consider disabling Bluetooth Low Energy connectivity until a patch is available. For AnyDana-i, restrict access to the default PIN check functionality to minimize the risk of exploitation. For AnyDana-A, avoid using the default PIN configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A (affected versions not specified) Description: The communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures. This allows unauthenticated, physically proximate attackers to replay communication sequences via Bluetooth Low Energy. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SOOIL Developments Co Ltd DiabecareRS, AnyDana-i & AnyDana-A (affected versions not specified) Description: The communication protocol of the insulin pump and its AnyDana-i & AnyDana-A mobile apps does not use adequate measures to authenticate the communicating entities before exchanging keys. This allows unauthenticated, physically proximate attackers to eavesdrop the authentication sequence via Bluetooth Low Energy. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Innokas Yhtymä Oy Vital Signs Monitor VC150 versions prior to 1.7.15 Description: The issue allows physically proximate attackers with a connected barcode reader to inject HL7 v2.x segments into specific HL7 v2.x messages via multiple expected parameters. This is related to HL7 v2.x injection vulnerabilities in the affected products. Recommendations: For versions prior to 1.7.15, update to version 1.7.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the barcode reader or limiting the ability to inject HL7 v2.x segments into messages until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Innokas Yhtymä Oy Vital Signs Monitor VC150 versions prior to 1.7.15 Description: A stored cross-site scripting issue exists in the affected product, allowing an attacker to inject arbitrary web script or HTML via the `filename` parameter to multiple update endpoints of the administrative web interface. Recommendations: For versions prior to 1.7.15, update to version 1.7.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the administrative web interface to minimize the risk of exploitation. Avoid using the `filename` parameter in the affected update endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BinaryNights ForkLift versions 3.x before 3.4 **Description** The issue is related to a local privilege escalation due to the implementation of an XPC interface in the privileged helper tool. This interface allows any process to perform file operations such as copy, move, delete as root, and also change permissions. **Recommendations** For BinaryNights ForkLift versions 3.x before 3.4, update to version 3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the XPC interface implemented by the privileged helper tool to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BinaryNights ForkLift version 3.4 **Description** A local attacker can inject code into ForkLift due to it being compiled with the `com.apple.security.cs.disable-library-validation` flag enabled. This allows the attacker to run malicious code with escalated privileges through ForkLift's helper tool. **Recommendations** For BinaryNights ForkLift version 3.4, consider disabling the helper tool until a patch is available to prevent malicious code injection. Restrict access to ForkLift to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** B. Braun OnlineSuite versions prior to AP 3.0 **Description** An Excel Macro Injection issue exists in the export feature due to mishandled input fields in the Excel export. **Recommendations** For versions prior to AP 3.0, consider disabling the export feature to the Excel format until a patch is available. Restrict access to the export functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier B. Braun Melsungen AG Data module compactplus versions A10 and A11 **Description** The issue is related to the configuration import mechanism, which allows attackers with command line access to the underlying Linux system to escalate privileges to the root user. This is due to insecure privilege management in the firmware of the affected medical devices. **Recommendations** For B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier, update to a version later than L81/U61 to resolve the issue. For B. Braun Melsungen AG Data module compactplus versions A10 and A11, update to a version later than A11 to resolve the issue. As a temporary workaround, consider restricting command line access to the underlying Linux system to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Patient Information Center iX (PICiX) versions B.02, C.02, C.03 **Description** The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Successful exploitation could lead to unauthorized access to patient data via a read-only web application. **Recommendations** For versions B.02, C.02, C.03, consider implementing input validation and sanitization to prevent unauthorized access to patient data. As a temporary workaround, consider restricting access to the read-only web application until a patch is available. Avoid using user-controllable input in the webpage output until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SquirrelMail version 1.4.22 **Description** A directory traversal flaw allows an authenticated attacker to exfiltrate or potentially delete files from the hosting server. This issue is related to the use of ../ in the `att local name` field in Deliver.class.php. **Recommendations** For SquirrelMail version 1.4.22, consider restricting access to the Deliver.class.php file or disabling the functionality related to the `att local name` field until a patch is available. Avoid using the `att local name` field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.