Search

Find a vulnerability

Search criteria

    12 vulnerabilities found for OnlineSuite by B. Braun Melsungen AG

    CVE-2025-3365 (GCVE-0-2025-3365)

    Vulnerability from nvd – Published: 2025-06-06 08:14 – Updated: 2025-06-06 17:12
    VLAI
    Title
    Relative Path Traversal in OnlineSuite
    Summary
    A missing protection against path traversal allows to access any file on the server.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    References
    Impacted products
    Date Public
    2025-06-06 07:00
    Credits
    Fabian Weber (CODE WHITE GmbH) Dr. Florian Hauser (CODE WHITE GmbH)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3365",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T17:03:10.577417Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T17:12:51.401Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Fabian Weber (CODE WHITE GmbH)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dr. Florian Hauser (CODE WHITE GmbH)"
            }
          ],
          "datePublic": "2025-06-06T07:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA missing protection against path traversal allows to access\nany file on the server.\u003c/p\u003e"
                }
              ],
              "value": "A missing protection against path traversal allows to access\nany file on the server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23 Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T08:14:00.444Z",
            "orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
            "shortName": "B.Braun"
          },
          "references": [
            {
              "url": "https://www.bbraun.com/productsecurity"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Relative Path Traversal in OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
        "assignerShortName": "B.Braun",
        "cveId": "CVE-2025-3365",
        "datePublished": "2025-06-06T08:14:00.444Z",
        "dateReserved": "2025-04-07T06:11:11.032Z",
        "dateUpdated": "2025-06-06T17:12:51.401Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-3322 (GCVE-0-2025-3322)

    Vulnerability from nvd – Published: 2025-06-06 08:13 – Updated: 2025-06-06 17:29
    VLAI
    Title
    Improper Neutralization of Special Elements in OnlineSuite
    Summary
    An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
    Assigner
    References
    Impacted products
    Date Public
    2025-06-06 07:00
    Credits
    Fabian Weber (CODE WHITE GmbH) Dr. Florian Hauser (CODE WHITE GmbH)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3322",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T17:19:28.552605Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T17:29:30.972Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Fabian Weber (CODE WHITE GmbH)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dr. Florian Hauser (CODE WHITE GmbH)"
            }
          ],
          "datePublic": "2025-06-06T07:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn improper neutralization of inputs used in expression\nlanguage allows remote code execution with the highest privileges on the\nserver.\u003c/p\u003e"
                }
              ],
              "value": "An improper neutralization of inputs used in expression\nlanguage allows remote code execution with the highest privileges on the\nserver."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-917",
                  "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T08:13:12.028Z",
            "orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
            "shortName": "B.Braun"
          },
          "references": [
            {
              "url": "https://www.bbraun.com/productsecurity"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Neutralization of Special Elements in OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
        "assignerShortName": "B.Braun",
        "cveId": "CVE-2025-3322",
        "datePublished": "2025-06-06T08:13:12.028Z",
        "dateReserved": "2025-04-05T19:02:30.304Z",
        "dateUpdated": "2025-06-06T17:29:30.972Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-3321 (GCVE-0-2025-3321)

    Vulnerability from nvd – Published: 2025-06-06 08:12 – Updated: 2025-06-06 18:25
    VLAI
    Title
    Use of Hard-coded Credentials in OnlineSuite
    Summary
    A predefined administrative account is not documented and cannot be deactivated. This account cannot be misused from the network, only by local users on the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Date Public
    2025-06-06 07:00
    Credits
    Fabian Weber (CODE WHITE GmbH) Dr. Florian Hauser (CODE WHITE GmbH)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3321",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T17:42:18.841236Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T18:25:54.094Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Fabian Weber (CODE WHITE GmbH)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dr. Florian Hauser (CODE WHITE GmbH)"
            }
          ],
          "datePublic": "2025-06-06T07:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eA predefined administrative account is not documented and cannot\nbe deactivated. This account cannot be misused from the network, only by local\nusers on the server.\u003c/p\u003e\n\n\n\n\n\n\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "A predefined administrative account is not documented and cannot\nbe deactivated. This account cannot be misused from the network, only by local\nusers on the server."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T08:12:46.971Z",
            "orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
            "shortName": "B.Braun"
          },
          "references": [
            {
              "url": "https://www.bbraun.com/productsecurity"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
                }
              ],
              "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Use of Hard-coded Credentials in OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
        "assignerShortName": "B.Braun",
        "cveId": "CVE-2025-3321",
        "datePublished": "2025-06-06T08:12:46.971Z",
        "dateReserved": "2025-04-05T19:01:47.895Z",
        "dateUpdated": "2025-06-06T18:25:54.094Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25174 (GCVE-0-2020-25174)

    Vulnerability from nvd – Published: 2020-11-06 16:08 – Updated: 2024-09-17 00:16
    VLAI
    Title
    B. Braun OnlineSuite
    Summary
    A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user.
    Severity
    No CVSS data available.
    CWE
    • CWE-427 - UNCONTROLLED SEARCH PATH ELEMENT CWE-427
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG OnlineSuite Affected: AP , ≤ 3.0 (custom)
    Create a notification for this product.
    Date Public
    2020-10-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.187Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "3.0",
                  "status": "affected",
                  "version": "AP",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-10-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-11-06T16:08:41.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
            }
          ],
          "source": {
            "advisory": "ICSMA-20-296-01",
            "discovery": "UNKNOWN"
          },
          "title": "B. Braun OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "DATE_PUBLIC": "2020-10-22T15:00:00.000Z",
              "ID": "CVE-2020-25174",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun OnlineSuite"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "OnlineSuite",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "AP",
                                "version_value": "3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01",
                  "refsource": "MISC",
                  "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
                }
              ]
            },
            "source": {
              "advisory": "ICSMA-20-296-01",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25174",
        "datePublished": "2020-11-06T16:08:41.727Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:16:15.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25172 (GCVE-0-2020-25172)

    Vulnerability from nvd – Published: 2020-11-06 16:09 – Updated: 2024-09-16 18:39
    VLAI
    Title
    B. Braun OnlineSuite
    Summary
    A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files.
    Severity
    No CVSS data available.
    CWE
    • CWE-23 - RELATIVE PATH TRAVERSAL CWE-23
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG OnlineSuite Affected: AP , ≤ 3.0 (custom)
    Create a notification for this product.
    Date Public
    2020-10-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.164Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "3.0",
                  "status": "affected",
                  "version": "AP",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-10-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "RELATIVE PATH TRAVERSAL CWE-23",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-11-06T16:09:16.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
            }
          ],
          "source": {
            "advisory": "ICSMA-20-296-01",
            "discovery": "UNKNOWN"
          },
          "title": "B. Braun OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "DATE_PUBLIC": "2020-10-22T15:00:00.000Z",
              "ID": "CVE-2020-25172",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun OnlineSuite"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "OnlineSuite",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "AP",
                                "version_value": "3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "RELATIVE PATH TRAVERSAL CWE-23"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01",
                  "refsource": "MISC",
                  "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
                }
              ]
            },
            "source": {
              "advisory": "ICSMA-20-296-01",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25172",
        "datePublished": "2020-11-06T16:09:16.397Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:39:05.515Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25170 (GCVE-0-2020-25170)

    Vulnerability from nvd – Published: 2020-11-06 16:08 – Updated: 2024-09-17 00:56
    VLAI
    Title
    B. Braun OnlineSuite
    Summary
    An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export.
    Severity
    No CVSS data available.
    CWE
    • CWE-1236 - IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG OnlineSuite Affected: AP , ≤ 3.0 (custom)
    Create a notification for this product.
    Date Public
    2020-10-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.606Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "3.0",
                  "status": "affected",
                  "version": "AP",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-10-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1236",
                  "description": "IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-11-06T16:08:07.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
            }
          ],
          "source": {
            "advisory": "ICSMA-20-296-01",
            "discovery": "UNKNOWN"
          },
          "title": "B. Braun OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "DATE_PUBLIC": "2020-10-22T15:00:00.000Z",
              "ID": "CVE-2020-25170",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun OnlineSuite"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "OnlineSuite",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "AP",
                                "version_value": "3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01",
                  "refsource": "MISC",
                  "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
                }
              ]
            },
            "source": {
              "advisory": "ICSMA-20-296-01",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25170",
        "datePublished": "2020-11-06T16:08:07.525Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:56:57.848Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-3365 (GCVE-0-2025-3365)

    Vulnerability from cvelistv5 – Published: 2025-06-06 08:14 – Updated: 2025-06-06 17:12
    VLAI
    Title
    Relative Path Traversal in OnlineSuite
    Summary
    A missing protection against path traversal allows to access any file on the server.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    References
    Impacted products
    Date Public
    2025-06-06 07:00
    Credits
    Fabian Weber (CODE WHITE GmbH) Dr. Florian Hauser (CODE WHITE GmbH)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3365",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T17:03:10.577417Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T17:12:51.401Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Fabian Weber (CODE WHITE GmbH)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dr. Florian Hauser (CODE WHITE GmbH)"
            }
          ],
          "datePublic": "2025-06-06T07:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA missing protection against path traversal allows to access\nany file on the server.\u003c/p\u003e"
                }
              ],
              "value": "A missing protection against path traversal allows to access\nany file on the server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23 Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T08:14:00.444Z",
            "orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
            "shortName": "B.Braun"
          },
          "references": [
            {
              "url": "https://www.bbraun.com/productsecurity"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Relative Path Traversal in OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
        "assignerShortName": "B.Braun",
        "cveId": "CVE-2025-3365",
        "datePublished": "2025-06-06T08:14:00.444Z",
        "dateReserved": "2025-04-07T06:11:11.032Z",
        "dateUpdated": "2025-06-06T17:12:51.401Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-3322 (GCVE-0-2025-3322)

    Vulnerability from cvelistv5 – Published: 2025-06-06 08:13 – Updated: 2025-06-06 17:29
    VLAI
    Title
    Improper Neutralization of Special Elements in OnlineSuite
    Summary
    An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
    Assigner
    References
    Impacted products
    Date Public
    2025-06-06 07:00
    Credits
    Fabian Weber (CODE WHITE GmbH) Dr. Florian Hauser (CODE WHITE GmbH)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3322",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T17:19:28.552605Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T17:29:30.972Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Fabian Weber (CODE WHITE GmbH)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dr. Florian Hauser (CODE WHITE GmbH)"
            }
          ],
          "datePublic": "2025-06-06T07:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn improper neutralization of inputs used in expression\nlanguage allows remote code execution with the highest privileges on the\nserver.\u003c/p\u003e"
                }
              ],
              "value": "An improper neutralization of inputs used in expression\nlanguage allows remote code execution with the highest privileges on the\nserver."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-917",
                  "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T08:13:12.028Z",
            "orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
            "shortName": "B.Braun"
          },
          "references": [
            {
              "url": "https://www.bbraun.com/productsecurity"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Neutralization of Special Elements in OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
        "assignerShortName": "B.Braun",
        "cveId": "CVE-2025-3322",
        "datePublished": "2025-06-06T08:13:12.028Z",
        "dateReserved": "2025-04-05T19:02:30.304Z",
        "dateUpdated": "2025-06-06T17:29:30.972Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-3321 (GCVE-0-2025-3321)

    Vulnerability from cvelistv5 – Published: 2025-06-06 08:12 – Updated: 2025-06-06 18:25
    VLAI
    Title
    Use of Hard-coded Credentials in OnlineSuite
    Summary
    A predefined administrative account is not documented and cannot be deactivated. This account cannot be misused from the network, only by local users on the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Date Public
    2025-06-06 07:00
    Credits
    Fabian Weber (CODE WHITE GmbH) Dr. Florian Hauser (CODE WHITE GmbH)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3321",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T17:42:18.841236Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T18:25:54.094Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Fabian Weber (CODE WHITE GmbH)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dr. Florian Hauser (CODE WHITE GmbH)"
            }
          ],
          "datePublic": "2025-06-06T07:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eA predefined administrative account is not documented and cannot\nbe deactivated. This account cannot be misused from the network, only by local\nusers on the server.\u003c/p\u003e\n\n\n\n\n\n\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "A predefined administrative account is not documented and cannot\nbe deactivated. This account cannot be misused from the network, only by local\nusers on the server."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T08:12:46.971Z",
            "orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
            "shortName": "B.Braun"
          },
          "references": [
            {
              "url": "https://www.bbraun.com/productsecurity"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
                }
              ],
              "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Use of Hard-coded Credentials in OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
        "assignerShortName": "B.Braun",
        "cveId": "CVE-2025-3321",
        "datePublished": "2025-06-06T08:12:46.971Z",
        "dateReserved": "2025-04-05T19:01:47.895Z",
        "dateUpdated": "2025-06-06T18:25:54.094Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25172 (GCVE-0-2020-25172)

    Vulnerability from cvelistv5 – Published: 2020-11-06 16:09 – Updated: 2024-09-16 18:39
    VLAI
    Title
    B. Braun OnlineSuite
    Summary
    A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files.
    Severity
    No CVSS data available.
    CWE
    • CWE-23 - RELATIVE PATH TRAVERSAL CWE-23
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG OnlineSuite Affected: AP , ≤ 3.0 (custom)
    Create a notification for this product.
    Date Public
    2020-10-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.164Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "3.0",
                  "status": "affected",
                  "version": "AP",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-10-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "RELATIVE PATH TRAVERSAL CWE-23",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-11-06T16:09:16.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
            }
          ],
          "source": {
            "advisory": "ICSMA-20-296-01",
            "discovery": "UNKNOWN"
          },
          "title": "B. Braun OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "DATE_PUBLIC": "2020-10-22T15:00:00.000Z",
              "ID": "CVE-2020-25172",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun OnlineSuite"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "OnlineSuite",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "AP",
                                "version_value": "3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "RELATIVE PATH TRAVERSAL CWE-23"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01",
                  "refsource": "MISC",
                  "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
                }
              ]
            },
            "source": {
              "advisory": "ICSMA-20-296-01",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25172",
        "datePublished": "2020-11-06T16:09:16.397Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:39:05.515Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25174 (GCVE-0-2020-25174)

    Vulnerability from cvelistv5 – Published: 2020-11-06 16:08 – Updated: 2024-09-17 00:16
    VLAI
    Title
    B. Braun OnlineSuite
    Summary
    A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user.
    Severity
    No CVSS data available.
    CWE
    • CWE-427 - UNCONTROLLED SEARCH PATH ELEMENT CWE-427
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG OnlineSuite Affected: AP , ≤ 3.0 (custom)
    Create a notification for this product.
    Date Public
    2020-10-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.187Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "3.0",
                  "status": "affected",
                  "version": "AP",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-10-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-11-06T16:08:41.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
            }
          ],
          "source": {
            "advisory": "ICSMA-20-296-01",
            "discovery": "UNKNOWN"
          },
          "title": "B. Braun OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "DATE_PUBLIC": "2020-10-22T15:00:00.000Z",
              "ID": "CVE-2020-25174",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun OnlineSuite"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "OnlineSuite",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "AP",
                                "version_value": "3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01",
                  "refsource": "MISC",
                  "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
                }
              ]
            },
            "source": {
              "advisory": "ICSMA-20-296-01",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25174",
        "datePublished": "2020-11-06T16:08:41.727Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:16:15.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25170 (GCVE-0-2020-25170)

    Vulnerability from cvelistv5 – Published: 2020-11-06 16:08 – Updated: 2024-09-17 00:56
    VLAI
    Title
    B. Braun OnlineSuite
    Summary
    An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export.
    Severity
    No CVSS data available.
    CWE
    • CWE-1236 - IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG OnlineSuite Affected: AP , ≤ 3.0 (custom)
    Create a notification for this product.
    Date Public
    2020-10-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.606Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "3.0",
                  "status": "affected",
                  "version": "AP",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-10-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1236",
                  "description": "IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-11-06T16:08:07.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
            }
          ],
          "source": {
            "advisory": "ICSMA-20-296-01",
            "discovery": "UNKNOWN"
          },
          "title": "B. Braun OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "DATE_PUBLIC": "2020-10-22T15:00:00.000Z",
              "ID": "CVE-2020-25170",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun OnlineSuite"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "OnlineSuite",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "AP",
                                "version_value": "3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01",
                  "refsource": "MISC",
                  "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
                }
              ]
            },
            "source": {
              "advisory": "ICSMA-20-296-01",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25170",
        "datePublished": "2020-11-06T16:08:07.525Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:56:57.848Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }