Nils Emmerich

**Name of the Vulnerable Software and Affected Versions** Big Requests extension (affected versions not specified) **Description** A flaw was found in the Big Requests extension, where the request length is multiplied by 4 before checking against the maximum allowed size. This can potentially cause an integer overflow, allowing an attacker to bypass the size check. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined. **Description** A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined. **Description** A flaw was found in the handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Carbon Black Cloud Windows Sensor versions prior to 4.0.3 **Description** The issue is related to an Information Leak vulnerability, which is a type of problem whereby sensitive information may be exposed due to a vulnerability in software. This vulnerability may allow sensitive information to be leaked, potentially compromising the security of the system. **Recommendations** For versions prior to 4.0.3, update to version 4.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive information until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Vaultwarden versions prior to 1.32.5 **Description** The issue allows attackers to execute arbitrary code via injecting a crafted payload into the `username` field of an e-mail message. This is an HTML injection vulnerability. **Recommendations** For versions prior to 1.32.5, update to version 1.32.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `username` field in e-mail messages until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Vaultwarden versions prior to 1.32.5 **Description** An issue in the component src/api/identity.rs of Vaultwarden allows attackers to impersonate users, including Administrators, via a crafted authorization request. This issue enables attackers to manipulate authorization requests to gain unauthorized access. **Recommendations** For versions prior to 1.32.5, update to version 1.32.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the src/api/identity.rs component until a patch is applied. Avoid using crafted authorization requests in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Vaultwarden version 1.32.5 **Description** The issue is related to an authenticated reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability is present in the /api/core/mod.rs component. **Recommendations** For Vaultwarden version 1.32.5, consider restricting access to the /api/core/mod.rs component until a patch is available. As a temporary workaround, avoid using the vulnerable component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** lua-resty-jwt version 0.2.3 **Description** The issue allows attackers to bypass all JWT-parsing signature checks by crafting a JWT with an `enc` header with the value `A256GCM`. This enables them to potentially access unauthorized resources or perform malicious actions. **Recommendations** For lua-resty-jwt version 0.2.3, as a temporary workaround, consider restricting the use of the `enc` header or validating its value to prevent it from being set to `A256GCM` until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier B. Braun Melsungen AG Data module compactplus versions A10 and A11 **Description** A relative path traversal attack allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file, an attacker can execute arbitrary commands. **Recommendations** For B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier, restrict access to file upload functionality until a fix is available. For B. Braun Melsungen AG Data module compactplus versions A10 and A11, consider disabling the file upload feature to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier B. Braun Melsungen AG Data module compactplus versions A10 and A11 **Description** The issue is related to improper access controls, allowing attackers to extract and tamper with the device's network configuration. **Recommendations** For B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier, restrict access to the network configuration to minimize the risk of exploitation. For B. Braun Melsungen AG Data module compactplus versions A10 and A11, consider implementing additional security measures to prevent unauthorized access to the device's network configuration. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier B. Braun Melsungen AG Data module compactplus versions A10 and A11 **Description** A vulnerability allows attackers to recover user credentials of the administrative interface. **Recommendations** For B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier, update to a version later than L81/U61 to resolve the issue. For B. Braun Melsungen AG Data module compactplus versions A10 and A11, update to a version later than A11 to resolve the issue. As a temporary workaround, consider restricting access to the administrative interface until a patch is available.

**Name of the Vulnerable Software and Affected Versions** B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier B. Braun Melsungen AG Data module compactplus versions A10 and A11 **Description** A XPath injection issue allows unauthenticated remote attackers to access sensitive information and escalate privileges. **Recommendations** For B. Braun Melsungen AG SpaceCom versions L81/U61 and earlier, update to a version later than L81/U61 to resolve the issue. For B. Braun Melsungen AG Data module compactplus versions A10 and A11, update to a version later than A11 to resolve the issue. As a temporary workaround, consider restricting access to sensitive information and privileges until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 **Description** The issue allows user input to be validated on the client side without proper authentication by the server. This is problematic because the server should not rely solely on the correctness of the data sent by the client, as users may not support or block JavaScript, or could intentionally bypass the client-side checks. An attacker with knowledge of the service user could exploit this by circumventing the client-side control, potentially allowing them to login with service privileges. **Recommendations** For Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3, consider implementing server-side validation to authenticate user input properly, ensuring that the server does not rely on client-side checks alone. As a temporary workaround, restrict access to service user accounts to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Fresenius Kabi Vigilant MasterMed version 2.0.1.3 **Description** An attacker with physical access to the host can extract secrets from the registry and create valid JWT tokens for the application, allowing them to impersonate arbitrary users. This could also enable the manipulation of RabbitMQ queues and messages by impersonating users. **Recommendations** For Fresenius Kabi Vigilant MasterMed version 2.0.1.3, consider restricting physical access to the host to minimize the risk of exploitation. As a temporary workaround, restrict access to the registry and limit the ability to create JWT tokens. Additionally, monitor RabbitMQ queues and messages for suspicious activity. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fresenius Kabi Agilia Link+ versions 3.0 and prior **Description** The issue allows access to sensitive endpoints without requiring authentication information, such as a session cookie. This enables an attacker to send requests to these endpoints as an unauthenticated user, potentially performing critical actions or modifying critical configuration parameters. **Recommendations** For Fresenius Kabi Agilia Link+ versions 3.0 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ypsomed mylife Cloud versions prior to 1.7.2 Ypsomed mylife App versions prior to 1.7.5 **Description** The application layer encryption of the communication protocol between the Ypsomed mylife App and mylife Cloud uses non-random IVs, which allows man-in-the-middle attackers to tamper with messages. **Recommendations** For Ypsomed mylife Cloud versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. For Ypsomed mylife App versions prior to 1.7.5, update to version 1.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data exchanged between the Ypsomed mylife App and mylife Cloud until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Ypsomed mylife Cloud versions prior to 1.7.2 Ypsomed mylife App versions prior to 1.7.5 **Description** The Ypsomed mylife Cloud discloses password hashes during the registration process. **Recommendations** For Ypsomed mylife Cloud versions prior to 1.7.2, update to version 1.7.2 or later. For Ypsomed mylife App versions prior to 1.7.5, update to version 1.7.5 or later.

**Name of the Vulnerable Software and Affected Versions** Ypsomed mylife Cloud versions prior to 1.7.2 Ypsomed mylife App versions prior to 1.7.5 **Description** The Ypsomed mylife Cloud reflects the user password during the login process after redirecting the user from a HTTPS endpoint to a HTTP endpoint. **Recommendations** For Ypsomed mylife Cloud versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. For Ypsomed mylife App versions prior to 1.7.5, update to version 1.7.5 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Hamilton Medical AG T1-Ventillator versions 2.2.3 and prior Description: The issue is related to an XML validation vulnerability in the ventilator, allowing privileged attackers with physical access to render the device persistently unusable by uploading specially crafted configuration files. Recommendations: For Hamilton Medical AG T1-Ventillator versions 2.2.3 and prior, consider restricting physical access to the device to prevent exploitation of the XML validation vulnerability until a patch is available. As a temporary workaround, consider disabling the upload of configuration files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A (affected versions not specified) Description: The communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures. This allows unauthenticated, physically proximate attackers to replay communication sequences via Bluetooth Low Energy. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.