CVE-2021-43355
Fresenius Kabi Agilia Connect Infusion System use of client side authentication
In short
The Fresenius Kabi Vigilant Software Suite validates user input only on the client side (in the browser), allowing attackers to bypass these checks and gain unauthorized access with elevated service privileges.
Technical detail
CWE-603: Client-side validation vulnerability in Fresenius Kabi Vigilant Software Suite v2.0.1.3 where authentication checks occur only in the browser without server-side verification. An attacker with knowledge of service account credentials can bypass client-side JavaScript controls to authenticate with administrative privileges, as the server does not validate input integrity.
Summary generated and translated by AI from the official description.
Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 allows user input to be validated on the client side without authentication by the server. The server should not rely on the correctness of the data because users might not support or block JavaScript or intentionally bypass the client-side checks. An attacker with knowledge of the service user could circumvent the client-side control and login with service privileges.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected products
Fresenius Kabi · Vigilant Software Suite (Mastermed Dashboard)Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →