Filtered by vendor Bd Subscriptions
Total 33 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-30565 1 Bd 1 Guardrails Cqi Reporter 2024-11-21 3.5 Low
An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker.
CVE-2023-30564 1 Bd 1 Alaris Systems Manager 2024-11-21 6.9 Medium
Alaris Systems Manager does not perform input validation during the Device Import Function.
CVE-2023-30563 1 Bd 1 Alaris Systems Manager 2024-11-21 8.2 High
A malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session.
CVE-2023-30562 1 Bd 1 Alaris Guardrails Editor 2024-11-21 3 Low
A GRE dataset file within Systems Manager can be tampered with and distributed to PCUs.
CVE-2023-30561 1 Bd 2 Alaris 8015 Pcu, Alaris 8015 Pcu Firmware 2024-11-21 6.1 Medium
The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.
CVE-2023-30560 2 Bd, Becton Dickinson And Co 3 Alaris 8015 Pcu, Alaris 8015 Pcu Firmware, Bd Alarisa Point Of Care Unit Model 8015 2024-11-21 6.8 Medium
The configuration from the PCU can be modified without authentication using physical connection to the PCU.
CVE-2023-30559 1 Bd 2 Alaris 8015 Pcu, Alaris 8015 Pcu Firmware 2024-11-21 5.2 Medium
The firmware update package for the wireless card is not properly signed and can be modified.
CVE-2023-29066 2 Bd, Hp 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 2024-11-21 3.2 Low
The FACSChorus software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders.
CVE-2023-29065 2 Bd, Hp 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 2024-11-21 4.1 Medium
The FACSChorus software database can be accessed directly with the privileges of the currently logged-in user. A threat actor with physical access could potentially gain credentials, which could be used to alter or destroy data stored in the database.
CVE-2023-29064 2 Bd, Hp 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 2024-11-21 4.1 Medium
The FACSChorus software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts.
CVE-2023-29063 2 Bd, Hp 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 2024-11-21 2.4 Low
The FACSChorus workstation does not prevent physical access to its PCI express (PCIe) slots, which could allow a threat actor to insert a PCI card designed for memory capture. A threat actor can then isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup.
CVE-2023-29062 2 Bd, Hp 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 2024-11-21 3.8 Low
The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. This is possible through the use of LLMNR, MBT-NS, or MDNS and will result in NTLMv2 hashes being sent to a malicious entity position on the local network. These hashes can subsequently be attacked through brute force and cracked if a weak password is used. This attack would only apply to domain joined systems.
CVE-2023-29061 2 Bd, Hp 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 2024-11-21 5.2 Medium
There is no BIOS password on the FACSChorus workstation. A threat actor with physical access to the workstation can potentially exploit this vulnerability to access the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication.
CVE-2023-29060 2 Bd, Hp 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 2024-11-21 5.4 Medium
The FACSChorus workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data.
CVE-2022-47376 1 Bd 1 Alaris Infusion Central 2024-11-21 7.3 High
The Alaris Infusion Central software, versions 1.1 to 1.3.2, may contain a recoverable password after the installation. No patient health data is stored in the database, although some site installations may choose to store personal data.
CVE-2022-43557 1 Bd 14 Bodyguard 121 Twins, Bodyguard 121 Twins Firmware, Bodyguard 323 Colorvision and 11 more 2024-11-21 5.3 Medium
The BD BodyGuard™ infusion pumps specified allow for access through the RS-232 (serial) port interface. If exploited, threat actors with physical access, specialized equipment and knowledge may be able to configure or disable the pump. No electronic protected health information (ePHI), protected health information (PHI) or personally identifiable information (PII) is stored in the pump.
CVE-2022-40263 1 Bd 2 Totalys Multiprocessor, Totalys Multiprocessor Firmware 2024-11-21 6.6 Medium
BD Totalys MultiProcessor, versions 1.70 and earlier, contain hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). Customers using BD Totalys MultiProcessor version 1.70 with Microsoft Windows 10 have additional operating system hardening configurations which increase the attack complexity required to exploit this vulnerability.
CVE-2022-30277 1 Bd 1 Synapsys 2024-11-21 5.7 Medium
BD Synapsys™, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII).
CVE-2022-22767 1 Bd 32 Pyxis Anesthesia Station Es, Pyxis Anesthesia Station Es Firmware, Pyxis Ciisafe and 29 more 2024-11-21 8.8 High
Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.
CVE-2022-22766 1 Bd 48 Pyxis Anesthesia Station 4000, Pyxis Anesthesia Station 4000 Firmware, Pyxis Anesthesia Station Es and 45 more 2024-11-21 7 High
Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.