Search criteria
12 vulnerabilities found for OnlineSuite by B. Braun Melsungen AG
CVE-2025-3365 (GCVE-0-2025-3365)
Vulnerability from cvelistv5 – Published: 2025-06-06 08:14 – Updated: 2025-06-06 17:12
VLAI?
Summary
A missing protection against path traversal allows to access
any file on the server.
Severity ?
9.8 (Critical)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| B. Braun Melsungen AG | OnlineSuite |
Affected:
3.0
(custom)
|
Credits
Fabian Weber (CODE WHITE GmbH)
Dr. Florian Hauser (CODE WHITE GmbH)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3365",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T17:03:10.577417Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T17:12:51.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OnlineSuite",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Fabian Weber (CODE WHITE GmbH)"
},
{
"lang": "en",
"type": "reporter",
"value": "Dr. Florian Hauser (CODE WHITE GmbH)"
}
],
"datePublic": "2025-06-06T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA missing protection against path traversal allows to access\nany file on the server.\u003c/p\u003e"
}
],
"value": "A missing protection against path traversal allows to access\nany file on the server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T08:14:00.444Z",
"orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
"shortName": "B.Braun"
},
"references": [
{
"url": "https://www.bbraun.com/productsecurity"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues.\n\n\u003cbr\u003e"
}
],
"value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Relative Path Traversal in OnlineSuite",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
"assignerShortName": "B.Braun",
"cveId": "CVE-2025-3365",
"datePublished": "2025-06-06T08:14:00.444Z",
"dateReserved": "2025-04-07T06:11:11.032Z",
"dateUpdated": "2025-06-06T17:12:51.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3322 (GCVE-0-2025-3322)
Vulnerability from cvelistv5 – Published: 2025-06-06 08:13 – Updated: 2025-06-06 17:29
VLAI?
Summary
An improper neutralization of inputs used in expression
language allows remote code execution with the highest privileges on the
server.
Severity ?
CWE
- CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| B. Braun Melsungen AG | OnlineSuite |
Affected:
3.0
(custom)
|
Credits
Fabian Weber (CODE WHITE GmbH)
Dr. Florian Hauser (CODE WHITE GmbH)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T17:19:28.552605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T17:29:30.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OnlineSuite",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Fabian Weber (CODE WHITE GmbH)"
},
{
"lang": "en",
"type": "reporter",
"value": "Dr. Florian Hauser (CODE WHITE GmbH)"
}
],
"datePublic": "2025-06-06T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn improper neutralization of inputs used in expression\nlanguage allows remote code execution with the highest privileges on the\nserver.\u003c/p\u003e"
}
],
"value": "An improper neutralization of inputs used in expression\nlanguage allows remote code execution with the highest privileges on the\nserver."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T08:13:12.028Z",
"orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
"shortName": "B.Braun"
},
"references": [
{
"url": "https://www.bbraun.com/productsecurity"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues.\n\n\u003cbr\u003e"
}
],
"value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization of Special Elements in OnlineSuite",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
"assignerShortName": "B.Braun",
"cveId": "CVE-2025-3322",
"datePublished": "2025-06-06T08:13:12.028Z",
"dateReserved": "2025-04-05T19:02:30.304Z",
"dateUpdated": "2025-06-06T17:29:30.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3321 (GCVE-0-2025-3321)
Vulnerability from cvelistv5 – Published: 2025-06-06 08:12 – Updated: 2025-06-06 18:25
VLAI?
Summary
A predefined administrative account is not documented and cannot
be deactivated. This account cannot be misused from the network, only by local
users on the server.
Severity ?
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| B. Braun Melsungen AG | OnlineSuite |
Affected:
3.0
(custom)
|
Credits
Fabian Weber (CODE WHITE GmbH)
Dr. Florian Hauser (CODE WHITE GmbH)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T17:42:18.841236Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T18:25:54.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OnlineSuite",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Fabian Weber (CODE WHITE GmbH)"
},
{
"lang": "en",
"type": "reporter",
"value": "Dr. Florian Hauser (CODE WHITE GmbH)"
}
],
"datePublic": "2025-06-06T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eA predefined administrative account is not documented and cannot\nbe deactivated. This account cannot be misused from the network, only by local\nusers on the server.\u003c/p\u003e\n\n\n\n\n\n\u003cp\u003e\u003c/p\u003e"
}
],
"value": "A predefined administrative account is not documented and cannot\nbe deactivated. This account cannot be misused from the network, only by local\nusers on the server."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T08:12:46.971Z",
"orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
"shortName": "B.Braun"
},
"references": [
{
"url": "https://www.bbraun.com/productsecurity"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
}
],
"value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Use of Hard-coded Credentials in OnlineSuite",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
"assignerShortName": "B.Braun",
"cveId": "CVE-2025-3321",
"datePublished": "2025-06-06T08:12:46.971Z",
"dateReserved": "2025-04-05T19:01:47.895Z",
"dateUpdated": "2025-06-06T18:25:54.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25172 (GCVE-0-2020-25172)
Vulnerability from cvelistv5 – Published: 2020-11-06 16:09 – Updated: 2024-09-16 18:39
VLAI?
Summary
A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files.
Severity ?
No CVSS data available.
CWE
- CWE-23 - RELATIVE PATH TRAVERSAL CWE-23
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| B. Braun Melsungen AG | OnlineSuite |
Affected:
AP , ≤ 3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:26:10.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OnlineSuite",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"lessThanOrEqual": "3.0",
"status": "affected",
"version": "AP",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-10-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "RELATIVE PATH TRAVERSAL CWE-23",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-06T16:09:16",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
],
"source": {
"advisory": "ICSMA-20-296-01",
"discovery": "UNKNOWN"
},
"title": "B. Braun OnlineSuite",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2020-10-22T15:00:00.000Z",
"ID": "CVE-2020-25172",
"STATE": "PUBLIC",
"TITLE": "B. Braun OnlineSuite"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OnlineSuite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "AP",
"version_value": "3.0"
}
]
}
}
]
},
"vendor_name": "B. Braun Melsungen AG"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "RELATIVE PATH TRAVERSAL CWE-23"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
]
},
"source": {
"advisory": "ICSMA-20-296-01",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-25172",
"datePublished": "2020-11-06T16:09:16.397700Z",
"dateReserved": "2020-09-04T00:00:00",
"dateUpdated": "2024-09-16T18:39:05.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25174 (GCVE-0-2020-25174)
Vulnerability from cvelistv5 – Published: 2020-11-06 16:08 – Updated: 2024-09-17 00:16
VLAI?
Summary
A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user.
Severity ?
No CVSS data available.
CWE
- CWE-427 - UNCONTROLLED SEARCH PATH ELEMENT CWE-427
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| B. Braun Melsungen AG | OnlineSuite |
Affected:
AP , ≤ 3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:26:10.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OnlineSuite",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"lessThanOrEqual": "3.0",
"status": "affected",
"version": "AP",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-10-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-06T16:08:41",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
],
"source": {
"advisory": "ICSMA-20-296-01",
"discovery": "UNKNOWN"
},
"title": "B. Braun OnlineSuite",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2020-10-22T15:00:00.000Z",
"ID": "CVE-2020-25174",
"STATE": "PUBLIC",
"TITLE": "B. Braun OnlineSuite"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OnlineSuite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "AP",
"version_value": "3.0"
}
]
}
}
]
},
"vendor_name": "B. Braun Melsungen AG"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
]
},
"source": {
"advisory": "ICSMA-20-296-01",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-25174",
"datePublished": "2020-11-06T16:08:41.727185Z",
"dateReserved": "2020-09-04T00:00:00",
"dateUpdated": "2024-09-17T00:16:15.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25170 (GCVE-0-2020-25170)
Vulnerability from cvelistv5 – Published: 2020-11-06 16:08 – Updated: 2024-09-17 00:56
VLAI?
Summary
An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export.
Severity ?
No CVSS data available.
CWE
- CWE-1236 - IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| B. Braun Melsungen AG | OnlineSuite |
Affected:
AP , ≤ 3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:26:09.606Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OnlineSuite",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"lessThanOrEqual": "3.0",
"status": "affected",
"version": "AP",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-10-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-06T16:08:07",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
],
"source": {
"advisory": "ICSMA-20-296-01",
"discovery": "UNKNOWN"
},
"title": "B. Braun OnlineSuite",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2020-10-22T15:00:00.000Z",
"ID": "CVE-2020-25170",
"STATE": "PUBLIC",
"TITLE": "B. Braun OnlineSuite"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OnlineSuite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "AP",
"version_value": "3.0"
}
]
}
}
]
},
"vendor_name": "B. Braun Melsungen AG"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
]
},
"source": {
"advisory": "ICSMA-20-296-01",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-25170",
"datePublished": "2020-11-06T16:08:07.525834Z",
"dateReserved": "2020-09-04T00:00:00",
"dateUpdated": "2024-09-17T00:56:57.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3365 (GCVE-0-2025-3365)
Vulnerability from nvd – Published: 2025-06-06 08:14 – Updated: 2025-06-06 17:12
VLAI?
Summary
A missing protection against path traversal allows to access
any file on the server.
Severity ?
9.8 (Critical)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| B. Braun Melsungen AG | OnlineSuite |
Affected:
3.0
(custom)
|
Credits
Fabian Weber (CODE WHITE GmbH)
Dr. Florian Hauser (CODE WHITE GmbH)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3365",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T17:03:10.577417Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T17:12:51.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OnlineSuite",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Fabian Weber (CODE WHITE GmbH)"
},
{
"lang": "en",
"type": "reporter",
"value": "Dr. Florian Hauser (CODE WHITE GmbH)"
}
],
"datePublic": "2025-06-06T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA missing protection against path traversal allows to access\nany file on the server.\u003c/p\u003e"
}
],
"value": "A missing protection against path traversal allows to access\nany file on the server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T08:14:00.444Z",
"orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
"shortName": "B.Braun"
},
"references": [
{
"url": "https://www.bbraun.com/productsecurity"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues.\n\n\u003cbr\u003e"
}
],
"value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Relative Path Traversal in OnlineSuite",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
"assignerShortName": "B.Braun",
"cveId": "CVE-2025-3365",
"datePublished": "2025-06-06T08:14:00.444Z",
"dateReserved": "2025-04-07T06:11:11.032Z",
"dateUpdated": "2025-06-06T17:12:51.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3322 (GCVE-0-2025-3322)
Vulnerability from nvd – Published: 2025-06-06 08:13 – Updated: 2025-06-06 17:29
VLAI?
Summary
An improper neutralization of inputs used in expression
language allows remote code execution with the highest privileges on the
server.
Severity ?
CWE
- CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| B. Braun Melsungen AG | OnlineSuite |
Affected:
3.0
(custom)
|
Credits
Fabian Weber (CODE WHITE GmbH)
Dr. Florian Hauser (CODE WHITE GmbH)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T17:19:28.552605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T17:29:30.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OnlineSuite",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Fabian Weber (CODE WHITE GmbH)"
},
{
"lang": "en",
"type": "reporter",
"value": "Dr. Florian Hauser (CODE WHITE GmbH)"
}
],
"datePublic": "2025-06-06T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn improper neutralization of inputs used in expression\nlanguage allows remote code execution with the highest privileges on the\nserver.\u003c/p\u003e"
}
],
"value": "An improper neutralization of inputs used in expression\nlanguage allows remote code execution with the highest privileges on the\nserver."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T08:13:12.028Z",
"orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
"shortName": "B.Braun"
},
"references": [
{
"url": "https://www.bbraun.com/productsecurity"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues.\n\n\u003cbr\u003e"
}
],
"value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization of Special Elements in OnlineSuite",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
"assignerShortName": "B.Braun",
"cveId": "CVE-2025-3322",
"datePublished": "2025-06-06T08:13:12.028Z",
"dateReserved": "2025-04-05T19:02:30.304Z",
"dateUpdated": "2025-06-06T17:29:30.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3321 (GCVE-0-2025-3321)
Vulnerability from nvd – Published: 2025-06-06 08:12 – Updated: 2025-06-06 18:25
VLAI?
Summary
A predefined administrative account is not documented and cannot
be deactivated. This account cannot be misused from the network, only by local
users on the server.
Severity ?
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| B. Braun Melsungen AG | OnlineSuite |
Affected:
3.0
(custom)
|
Credits
Fabian Weber (CODE WHITE GmbH)
Dr. Florian Hauser (CODE WHITE GmbH)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T17:42:18.841236Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T18:25:54.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OnlineSuite",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Fabian Weber (CODE WHITE GmbH)"
},
{
"lang": "en",
"type": "reporter",
"value": "Dr. Florian Hauser (CODE WHITE GmbH)"
}
],
"datePublic": "2025-06-06T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eA predefined administrative account is not documented and cannot\nbe deactivated. This account cannot be misused from the network, only by local\nusers on the server.\u003c/p\u003e\n\n\n\n\n\n\u003cp\u003e\u003c/p\u003e"
}
],
"value": "A predefined administrative account is not documented and cannot\nbe deactivated. This account cannot be misused from the network, only by local\nusers on the server."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T08:12:46.971Z",
"orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
"shortName": "B.Braun"
},
"references": [
{
"url": "https://www.bbraun.com/productsecurity"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
}
],
"value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Use of Hard-coded Credentials in OnlineSuite",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
"assignerShortName": "B.Braun",
"cveId": "CVE-2025-3321",
"datePublished": "2025-06-06T08:12:46.971Z",
"dateReserved": "2025-04-05T19:01:47.895Z",
"dateUpdated": "2025-06-06T18:25:54.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25172 (GCVE-0-2020-25172)
Vulnerability from nvd – Published: 2020-11-06 16:09 – Updated: 2024-09-16 18:39
VLAI?
Summary
A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files.
Severity ?
No CVSS data available.
CWE
- CWE-23 - RELATIVE PATH TRAVERSAL CWE-23
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| B. Braun Melsungen AG | OnlineSuite |
Affected:
AP , ≤ 3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:26:10.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OnlineSuite",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"lessThanOrEqual": "3.0",
"status": "affected",
"version": "AP",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-10-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "RELATIVE PATH TRAVERSAL CWE-23",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-06T16:09:16",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
],
"source": {
"advisory": "ICSMA-20-296-01",
"discovery": "UNKNOWN"
},
"title": "B. Braun OnlineSuite",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2020-10-22T15:00:00.000Z",
"ID": "CVE-2020-25172",
"STATE": "PUBLIC",
"TITLE": "B. Braun OnlineSuite"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OnlineSuite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "AP",
"version_value": "3.0"
}
]
}
}
]
},
"vendor_name": "B. Braun Melsungen AG"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "RELATIVE PATH TRAVERSAL CWE-23"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
]
},
"source": {
"advisory": "ICSMA-20-296-01",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-25172",
"datePublished": "2020-11-06T16:09:16.397700Z",
"dateReserved": "2020-09-04T00:00:00",
"dateUpdated": "2024-09-16T18:39:05.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25174 (GCVE-0-2020-25174)
Vulnerability from nvd – Published: 2020-11-06 16:08 – Updated: 2024-09-17 00:16
VLAI?
Summary
A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user.
Severity ?
No CVSS data available.
CWE
- CWE-427 - UNCONTROLLED SEARCH PATH ELEMENT CWE-427
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| B. Braun Melsungen AG | OnlineSuite |
Affected:
AP , ≤ 3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:26:10.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OnlineSuite",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"lessThanOrEqual": "3.0",
"status": "affected",
"version": "AP",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-10-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-06T16:08:41",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
],
"source": {
"advisory": "ICSMA-20-296-01",
"discovery": "UNKNOWN"
},
"title": "B. Braun OnlineSuite",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2020-10-22T15:00:00.000Z",
"ID": "CVE-2020-25174",
"STATE": "PUBLIC",
"TITLE": "B. Braun OnlineSuite"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OnlineSuite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "AP",
"version_value": "3.0"
}
]
}
}
]
},
"vendor_name": "B. Braun Melsungen AG"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
]
},
"source": {
"advisory": "ICSMA-20-296-01",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-25174",
"datePublished": "2020-11-06T16:08:41.727185Z",
"dateReserved": "2020-09-04T00:00:00",
"dateUpdated": "2024-09-17T00:16:15.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25170 (GCVE-0-2020-25170)
Vulnerability from nvd – Published: 2020-11-06 16:08 – Updated: 2024-09-17 00:56
VLAI?
Summary
An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export.
Severity ?
No CVSS data available.
CWE
- CWE-1236 - IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| B. Braun Melsungen AG | OnlineSuite |
Affected:
AP , ≤ 3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:26:09.606Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OnlineSuite",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"lessThanOrEqual": "3.0",
"status": "affected",
"version": "AP",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-10-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-06T16:08:07",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
],
"source": {
"advisory": "ICSMA-20-296-01",
"discovery": "UNKNOWN"
},
"title": "B. Braun OnlineSuite",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2020-10-22T15:00:00.000Z",
"ID": "CVE-2020-25170",
"STATE": "PUBLIC",
"TITLE": "B. Braun OnlineSuite"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OnlineSuite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "AP",
"version_value": "3.0"
}
]
}
}
]
},
"vendor_name": "B. Braun Melsungen AG"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
]
},
"source": {
"advisory": "ICSMA-20-296-01",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-25170",
"datePublished": "2020-11-06T16:08:07.525834Z",
"dateReserved": "2020-09-04T00:00:00",
"dateUpdated": "2024-09-17T00:56:57.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}