CVE-2020-25158

B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus

CVSS 7.6 HIGHEPSS 0.8%CWE-79

In short

A medical device interface allows attackers to inject malicious scripts that execute in users' browsers, potentially stealing sensitive patient data or compromising device control through deceptive web pages.

Technical detail

Reflected XSS vulnerability in B. Braun SpaceCom (L81/U61 and earlier) and Data module compactplus (A10-A11) web interfaces enables remote attackers to inject arbitrary JavaScript or HTML. Attack vector is network-based via crafted URLs; no authentication required. Impact includes session hijacking, credential theft, and unauthorized device manipulation in clinical environments.

Summary generated and translated by AI from the official description.

A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

Affected products

B. Braun Melsungen AG · Battery pack with Wi-Fi B. Braun Melsungen AG · Data module compactplus B. Braun Melsungen AG · SpaceCom

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02