CVE-2020-25158 : Security Advisory and Response

A reflected cross-site scripting (XSS) vulnerability in B. Braun Melsungen AG's SpaceCom and Data module compactplus allows remote attackers to inject arbitrary web script or HTML into various locations.

Understanding CVE-2020-25158

This CVE involves a cross-site scripting vulnerability affecting specific products by B. Braun Melsungen AG.

What is CVE-2020-25158?

The vulnerability in SpaceCom and Data module compactplus versions allows attackers to inject malicious scripts into web pages.

The Impact of CVE-2020-25158

The vulnerability has a CVSS base score of 7.6, indicating a high severity level with a significant impact on confidentiality.

Technical Details of CVE-2020-25158

This section provides detailed technical information about the vulnerability.

Vulnerability Description

The XSS vulnerability in SpaceCom and Data module compactplus versions enables attackers to execute arbitrary scripts on affected systems.

Affected Systems and Versions

SpaceCom: Versions L81/U61 and earlier
Data module compactplus: Versions A10 and A11

Exploitation Mechanism

Attackers can exploit this vulnerability remotely by injecting malicious scripts into vulnerable web pages.

Mitigation and Prevention

Steps to address and prevent the CVE-2020-25158 vulnerability.

Immediate Steps to Take

Apply updates recommended by B. Braun Melsungen AG for affected products.
Protect the network by ensuring devices are not directly accessible from the Internet.
Use a firewall to isolate medical devices from the business network.

Long-Term Security Practices

Regularly update and patch all software and firmware on medical devices.
Conduct security assessments and penetration testing to identify vulnerabilities.

Patching and Updates

SpaceCom: Update to Version U62 or later (United States) or L82 or later (outside the United States).
Data module compactplus: Update to Version A12 or later.