CVE-2020-25152

A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges.

CVSS v3 6.5 MEDIUM
CVSS v2.0 5.8 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html	Broken Link
https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02	Third Party Advisory US Government Resource
https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html	Broken Link
https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:bbraun:datamodule_compactplus:a10:::::::*
	cpe:2.3:o:bbraun:datamodule_compactplus:a11:::::::*

cpe:2.3:h:bbraun:datamodule_compactplus:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:bbraun:spacecom:*:*:*:*:*:*:*:*

cpe:2.3:h:bbraun:spacecom:-:*:*:*:*:*:*:*

History

21 Nov 2024, 05:17

Type	Values Removed	Values Added
References	~~() https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html - Broken Link~~	() https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html - Broken Link
References	~~() https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02 - Third Party Advisory, US Government Resource~~	() https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02 - Third Party Advisory, US Government Resource
CVSS	v2 : ~~5.8~~ v3 : ~~8.1~~	v2 : 5.8 v3 : 6.5

Information

Published : 2022-04-14 21:15

Updated : 2024-11-21 05:17

NVD link : CVE-2020-25152

Mitre link : CVE-2020-25152

CVE.ORG link : CVE-2020-25152

JSON object : View

Products Affected

bbraun

datamodule_compactplus
spacecom

CWE

CWE-384

Session Fixation

{"id": "CVE-2020-25152", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2022-04-14T21:15:07.893", "references": [{"url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html", "tags": ["Broken Link"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-384"}]}], "descriptions": [{"lang": "en", "value": "A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges."}, {"lang": "es", "value": "Una vulnerabilidad de fijaci\u00f3n de sesi\u00f3n en la interfaz administrativa de B. Braun Melsungen AG SpaceCom Versiones L81/U61 y anteriores, y el m\u00f3dulo de Datos compactplus Versiones A10 y A11, permite a atacantes remotos secuestrar sesiones web y escalar privilegios"}], "lastModified": "2024-11-21T05:17:28.977", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:bbraun:datamodule_compactplus:a10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8AB0FE4F-48A0-49E0-B103-41FFFBFD3273"}, {"criteria": "cpe:2.3:o:bbraun:datamodule_compactplus:a11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7CC88FD8-E19A-4C59-97D5-D7979C6B573F"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:bbraun:datamodule_compactplus:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1715E3E2-C648-4439-8EB3-FD036B919B90"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:bbraun:spacecom:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5872EF69-4FA8-4D1B-8372-AB855C8EB0D2", "versionEndIncluding": "l81"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:bbraun:spacecom:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "0EE9120E-BC31-410E-A371-D0C30EBBFEE5"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.8 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2020-25152

6.5^/10

5.8^/10

Attach tags to `CVE-2020-25152`