Dr. Oliver Matula

**Name of the Vulnerable Software and Affected Versions** Mitel OpenScape 4000 versions V10 R1.54.1 and earlier Mitel OpenScape 4000 Manager versions V10 R1.54.1 and earlier Mitel OpenScape 4000 versions V11 through R0.22.1 Mitel OpenScape 4000 Manager versions V11 through R0.22.1 **Description** The issue allows an authenticated attacker to conduct a privilege escalation attack due to the execution of a resource with unnecessary privileges. A successful exploit could allow an attacker to execute arbitrary commands with elevated privileges. **Recommendations** For Mitel OpenScape 4000 versions V10 R1.54.1 and earlier, update to a version later than V10 R1.54.1 to resolve the issue. For Mitel OpenScape 4000 Manager versions V10 R1.54.1 and earlier, update to a version later than V10 R1.54.1 to resolve the issue. For Mitel OpenScape 4000 versions V11 through R0.22.1, update to a version later than R0.22.1 to resolve the issue. For Mitel OpenScape 4000 Manager versions V11 through R0.22.1, update to a version later than R0.22.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mitel OpenScape 4000 and OpenScape 4000 Manager versions V11 R0.22.0 through V11 R0.22.1 Mitel OpenScape 4000 and OpenScape 4000 Manager versions V10 R1.54.0 through V10 R1.54.1 Mitel OpenScape 4000 and OpenScape 4000 Manager versions V10 R1.42.6 and earlier **Description** The Platform component could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit could allow an attacker to execute arbitrary commands within the same privilege level as the web access process. **Recommendations** For versions V11 R0.22.0 through V11 R0.22.1, update to a version that addresses the command injection issue. For versions V10 R1.54.0 through V10 R1.54.1, update to a version that addresses the command injection issue. For versions V10 R1.42.6 and earlier, update to a version that addresses the command injection issue. As a temporary workaround, consider restricting access to the Platform component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions 0.7.0 through 1.23.2 **Description** The issue is related to the JoltTransformJSON Processor in Apache NiFi, which provides an advanced configuration user interface vulnerable to DOM-based cross-site scripting. If an authenticated user visits a crafted URL, arbitrary JavaScript code can be executed within the session context of the authenticated user. **Recommendations** For Apache NiFi versions 0.7.0 through 1.23.2, upgrade to Apache NiFi 1.24.0 or 2.0.0-M1 to mitigate the issue. As a temporary workaround, consider restricting access to the JoltTransformJSON Processor for authenticated users until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier B. Braun Melsungen AG Data module compactplus versions A10 and A11 **Description** A relative path traversal attack allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file, an attacker can execute arbitrary commands. **Recommendations** For B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier, restrict access to file upload functionality until a fix is available. For B. Braun Melsungen AG Data module compactplus versions A10 and A11, consider disabling the file upload feature to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier B. Braun Melsungen AG Data module compactplus versions A10 and A11 **Description** A vulnerability allows attackers to recover user credentials of the administrative interface. **Recommendations** For B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier, update to a version later than L81/U61 to resolve the issue. For B. Braun Melsungen AG Data module compactplus versions A10 and A11, update to a version later than A11 to resolve the issue. As a temporary workaround, consider restricting access to the administrative interface until a patch is available.

**Name of the Vulnerable Software and Affected Versions** B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier B. Braun Melsungen AG Data module compactplus versions A10 and A11 **Description** A XPath injection issue allows unauthenticated remote attackers to access sensitive information and escalate privileges. **Recommendations** For B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier, update to a version later than L81/U61 to resolve the issue. For B. Braun Melsungen AG Data module compactplus versions A10 and A11, update to a version later than A11 to resolve the issue. As a temporary workaround, consider restricting access to sensitive information and privileges until a patch is available.

**Name of the Vulnerable Software and Affected Versions** B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier B. Braun Melsungen AG Data module compactplus versions A10 and A11 **Description** The issue is related to improper access controls, allowing attackers to extract and tamper with the device's network configuration. **Recommendations** For B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier, restrict access to the network configuration to minimize the risk of exploitation. For B. Braun Melsungen AG Data module compactplus versions A10 and A11, consider implementing additional security measures to prevent unauthorized access to the device's network configuration. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 **Description** The issue allows user input to be validated on the client side without proper authentication by the server. This is problematic because the server should not rely solely on the correctness of the data sent by the client, as users may not support or block JavaScript, or could intentionally bypass the client-side checks. An attacker with knowledge of the service user could exploit this by circumventing the client-side control, potentially allowing them to login with service privileges. **Recommendations** For Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3, consider implementing server-side validation to authenticate user input properly, ensuring that the server does not rely on client-side checks alone. As a temporary workaround, restrict access to service user accounts to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Fresenius Kabi Vigilant MasterMed version 2.0.1.3 **Description** An attacker with physical access to the host can extract secrets from the registry and create valid JWT tokens for the application, allowing them to impersonate arbitrary users. This could also enable the manipulation of RabbitMQ queues and messages by impersonating users. **Recommendations** For Fresenius Kabi Vigilant MasterMed version 2.0.1.3, consider restricting physical access to the host to minimize the risk of exploitation. As a temporary workaround, restrict access to the registry and limit the ability to create JWT tokens. Additionally, monitor RabbitMQ queues and messages for suspicious activity. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fresenius Kabi Agilia Link+ versions 3.0 and prior **Description** The issue allows access to sensitive endpoints without requiring authentication information, such as a session cookie. This enables an attacker to send requests to these endpoints as an unauthenticated user, potentially performing critical actions or modifying critical configuration parameters. **Recommendations** For Fresenius Kabi Agilia Link+ versions 3.0 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ypsomed mylife Cloud versions prior to 1.7.2 Ypsomed mylife App versions prior to 1.7.5 **Description** The application layer encryption of the communication protocol between the Ypsomed mylife App and mylife Cloud uses non-random IVs, which allows man-in-the-middle attackers to tamper with messages. **Recommendations** For Ypsomed mylife Cloud versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. For Ypsomed mylife App versions prior to 1.7.5, update to version 1.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data exchanged between the Ypsomed mylife App and mylife Cloud until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Ypsomed mylife Cloud versions prior to 1.7.2 Ypsomed mylife App versions prior to 1.7.5 **Description** The Ypsomed mylife Cloud reflects the user password during the login process after redirecting the user from a HTTPS endpoint to a HTTP endpoint. **Recommendations** For Ypsomed mylife Cloud versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. For Ypsomed mylife App versions prior to 1.7.5, update to version 1.7.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Ypsomed mylife Cloud versions prior to 1.7.2 Ypsomed mylife App versions prior to 1.7.5 **Description** The Ypsomed mylife Cloud discloses password hashes during the registration process. **Recommendations** For Ypsomed mylife Cloud versions prior to 1.7.2, update to version 1.7.2 or later. For Ypsomed mylife App versions prior to 1.7.5, update to version 1.7.5 or later.

Name of the Vulnerable Software and Affected Versions: Hamilton Medical AG T1-Ventillator versions 2.2.3 and prior Description: The issue is related to an XML validation vulnerability in the ventilator, allowing privileged attackers with physical access to render the device persistently unusable by uploading specially crafted configuration files. Recommendations: For Hamilton Medical AG T1-Ventillator versions 2.2.3 and prior, consider restricting physical access to the device to prevent exploitation of the XML validation vulnerability until a patch is available. As a temporary workaround, consider disabling the upload of configuration files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Innokas Yhtymä Oy Vital Signs Monitor VC150 versions prior to 1.7.15 Description: A stored cross-site scripting issue exists in the affected product, allowing an attacker to inject arbitrary web script or HTML via the `filename` parameter to multiple update endpoints of the administrative web interface. Recommendations: For versions prior to 1.7.15, update to version 1.7.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the administrative web interface to minimize the risk of exploitation. Avoid using the `filename` parameter in the affected update endpoints until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Innokas Yhtymä Oy Vital Signs Monitor VC150 versions prior to 1.7.15 Description: The issue allows physically proximate attackers with a connected barcode reader to inject HL7 v2.x segments into specific HL7 v2.x messages via multiple expected parameters. This is related to HL7 v2.x injection vulnerabilities in the affected products. Recommendations: For versions prior to 1.7.15, update to version 1.7.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the barcode reader or limiting the ability to inject HL7 v2.x segments into messages until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** B. Braun OnlineSuite versions prior to AP 3.0 **Description** An Excel Macro Injection issue exists in the export feature due to mishandled input fields in the Excel export. **Recommendations** For versions prior to AP 3.0, consider disabling the export feature to the Excel format until a patch is available. Restrict access to the export functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier B. Braun Melsungen AG Data module compactplus versions A10 and A11 **Description** The issue is related to the configuration import mechanism, which allows attackers with command line access to the underlying Linux system to escalate privileges to the root user. This is due to insecure privilege management in the firmware of the affected medical devices. **Recommendations** For B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier, update to a version later than L81/U61 to resolve the issue. For B. Braun Melsungen AG Data module compactplus versions A10 and A11, update to a version later than A11 to resolve the issue. As a temporary workaround, consider restricting command line access to the underlying Linux system to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Patient Information Center iX (PICiX) versions B.02, C.02, C.03 **Description** The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Successful exploitation could lead to unauthorized access to patient data via a read-only web application. **Recommendations** For versions B.02, C.02, C.03, consider implementing input validation and sanitization to prevent unauthorized access to patient data. As a temporary workaround, consider restricting access to the read-only web application until a patch is available. Avoid using user-controllable input in the webpage output until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.