Linda Huischen

**Name of the Vulnerable Software and Affected Versions** Ypsomed mylife Cloud versions prior to 1.7.2 Ypsomed mylife App versions prior to 1.7.5 **Description** The application layer encryption of the communication protocol between the Ypsomed mylife App and mylife Cloud uses non-random IVs, which allows man-in-the-middle attackers to tamper with messages. **Recommendations** For Ypsomed mylife Cloud versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. For Ypsomed mylife App versions prior to 1.7.5, update to version 1.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data exchanged between the Ypsomed mylife App and mylife Cloud until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Ypsomed mylife Cloud versions prior to 1.7.2 Ypsomed mylife App versions prior to 1.7.5 **Description** The Ypsomed mylife Cloud discloses password hashes during the registration process. **Recommendations** For Ypsomed mylife Cloud versions prior to 1.7.2, update to version 1.7.2 or later. For Ypsomed mylife App versions prior to 1.7.5, update to version 1.7.5 or later.

**Name of the Vulnerable Software and Affected Versions** Ypsomed mylife Cloud versions prior to 1.7.2 Ypsomed mylife App versions prior to 1.7.5 **Description** The Ypsomed mylife Cloud reflects the user password during the login process after redirecting the user from a HTTPS endpoint to a HTTP endpoint. **Recommendations** For Ypsomed mylife Cloud versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. For Ypsomed mylife App versions prior to 1.7.5, update to version 1.7.5 or later to resolve the issue.