CVE-2020-25162

B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus

CVSS 7.5 HIGHEPSS 1.8%CWE-643

In short

A vulnerability in B. Braun medical devices allows attackers to inject malicious commands into search queries, bypassing security to access sensitive patient information and gain higher privileges without needing a password.

Technical detail

An XPath injection vulnerability (CWE-643) in SpaceCom L81/U61 and Data module compactplus A10/A11 permits unauthenticated remote attackers to manipulate XPath queries, enabling unauthorized information disclosure and privilege escalation through specially crafted input vectors.

Summary generated and translated by AI from the official description.

A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

B. Braun Melsungen AG · Battery pack with Wi-Fi B. Braun Melsungen AG · Data module compactplus B. Braun Melsungen AG · SpaceCom

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02