CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30563 – Stored Cross-Site Scripting on User Import Functionality
https://notcve.org/view.php?id=CVE-2023-30563
A malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session. • https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30562 – Lack of Dataset Integrity Checking
https://notcve.org/view.php?id=CVE-2023-30562
A GRE dataset file within Systems Manager can be tampered with and distributed to PCUs. • https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-30561 – Lack of Cryptographic Security of IUI Bus
https://notcve.org/view.php?id=CVE-2023-30561
The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running. • https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-30560 – PCU Configuration Lacks Authentication
https://notcve.org/view.php?id=CVE-2023-30560
The configuration from the PCU can be modified without authentication using physical connection to the PCU. • https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx • CWE-287: Improper Authentication •
CVSS: 5.7EPSS: 0%CPEs: 2EXPL: 0CVE-2023-30559 – Wireless Card Firmware Improperly Signed
https://notcve.org/view.php?id=CVE-2023-30559
The firmware update package for the wireless card is not properly signed and can be modified. • https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx • CWE-20: Improper Input Validation CWE-287: Improper Authentication CWE-345: Insufficient Verification of Data Authenticity •