CVE-2020-25158 - OpenCVE

A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bbraun	Datamodule Compactplus Spacecom

Configuration 1 [-]

AND

OR	cpe:2.3:o:bbraun:datamodule_compactplus:a10:::::::*
	cpe:2.3:o:bbraun:datamodule_compactplus:a11:::::::*

cpe:2.3:h:bbraun:datamodule_compactplus:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:bbraun:spacecom:*:*:*:*:*:*:*:*

cpe:2.3:h:bbraun:spacecom:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html
https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-04-14T20:05:56

Updated: 2024-08-04T15:26:10.212Z

Reserved: 2020-09-04T00:00:00

Link: CVE-2020-25158

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-14T21:15:08.063

Modified: 2022-04-21T15:26:13.407

Link: CVE-2020-25158

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SpaceCom", "vendor": "B. Braun Melsungen AG", "versions": [{"lessThanOrEqual": "U61", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "L81", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Battery pack with Wi-Fi", "vendor": "B. Braun Melsungen AG", "versions": [{"lessThanOrEqual": "U61", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "L81", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Data module compactplus", "vendor": "B. Braun Melsungen AG", "versions": [{"status": "affected", "version": "A10"}, {"status": "affected", "version": "A11"}]}], "credits": [{"lang": "en", "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."}], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Cross-site Scripting", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-14T20:05:56", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"}], "solutions": [{"lang": "en", "value": "B. Braun recommends applying updates:\n\n SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory. https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"}], "source": {"discovery": "EXTERNAL"}, "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus", "workarounds": [{"lang": "en", "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n Ensure the devices are not accessible directly from the Internet.\n Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory. https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-25158", "STATE": "PUBLIC", "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SpaceCom", "version": {"version_data": [{"version_affected": "<=", "version_value": "U61"}, {"version_affected": "<=", "version_value": "L81"}]}}, {"product_name": "Battery pack with Wi-Fi", "version": {"version_data": [{"version_affected": "<=", "version_value": "U61"}, {"version_affected": "<=", "version_value": "L81"}]}}, {"product_name": "Data module compactplus", "version": {"version_data": [{"version_affected": "=", "version_value": "A10"}, {"version_affected": "=", "version_value": "A11"}]}}]}, "vendor_name": "B. Braun Melsungen AG"}]}}, "credit": [{"lang": "eng", "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Cross-site Scripting"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"}, {"name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html", "refsource": "CONFIRM", "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"}]}, "solution": [{"lang": "en", "value": "B. Braun recommends applying updates:\n\n SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory. https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"}], "source": {"discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n Ensure the devices are not accessible directly from the Internet.\n Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory. https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:26:10.212Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-25158", "datePublished": "2022-04-14T20:05:56", "dateReserved": "2020-09-04T00:00:00", "dateUpdated": "2024-08-04T15:26:10.212Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:bbraun:datamodule_compactplus:a10:*:*:*:*:*:*:*", "matchCriteriaId": "8AB0FE4F-48A0-49E0-B103-41FFFBFD3273", "vulnerable": true}, {"criteria": "cpe:2.3:o:bbraun:datamodule_compactplus:a11:*:*:*:*:*:*:*", "matchCriteriaId": "7CC88FD8-E19A-4C59-97D5-D7979C6B573F", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:bbraun:datamodule_compactplus:-:*:*:*:*:*:*:*", "matchCriteriaId": "1715E3E2-C648-4439-8EB3-FD036B919B90", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:bbraun:spacecom:*:*:*:*:*:*:*:*", "matchCriteriaId": "5872EF69-4FA8-4D1B-8372-AB855C8EB0D2", "versionEndIncluding": "l81", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:bbraun:spacecom:-:*:*:*:*:*:*:*", "matchCriteriaId": "0EE9120E-BC31-410E-A371-D0C30EBBFEE5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations."}, {"lang": "es", "value": "Una vulnerabilidad de tipo cross-site scripting (XSS) reflejada en B. Braun Melsungen AG SpaceCom Versiones L81/U61 y anteriores, y el m\u00f3dulo de Datos compactplus Versiones A10 y A11, permite a atacantes remotos inyectar script web o HTML arbitrario en varias ubicaciones"}], "id": "CVE-2020-25158", "lastModified": "2022-04-21T15:26:13.407", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2022-04-14T21:15:08.063", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Broken Link"], "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}