CVE-2021-23233

Sensitive endpoints in Fresenius Kabi Agilia Link+ v3.0 and prior can be accessed without any authentication information such as the session cookie. An attacker can send requests to sensitive endpoints as an unauthenticated user to perform critical actions or modify critical configuration parameters.
References
Link Resource
https://www.cisa.gov/uscert/ics/advisories/icsma-21-355-01 Third Party Advisory US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsma-21-355-01 Third Party Advisory US Government Resource
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:fresenius-kabi:agilia_partner_maintenance_software:*:*:*:*:*:*:*:*
cpe:2.3:a:fresenius-kabi:vigilant_centerium:1.0:*:*:*:*:*:*:*
cpe:2.3:a:fresenius-kabi:vigilant_insight:1.0:*:*:*:*:*:*:*
cpe:2.3:a:fresenius-kabi:vigilant_mastermed:1.0:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:fresenius-kabi:agilia_connect_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:fresenius-kabi:agilia_connect:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
OR cpe:2.3:o:fresenius-kabi:link\+_agilia_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:fresenius-kabi:link\+_agilia_firmware:3.0:-:*:*:*:*:*:*
cpe:2.3:o:fresenius-kabi:link\+_agilia_firmware:3.0:d15:*:*:*:*:*:*
cpe:2.3:h:fresenius-kabi:link\+_agilia:-:*:*:*:*:*:*:*

History

21 Nov 2024, 05:51

Type Values Removed Values Added
References () https://www.cisa.gov/uscert/ics/advisories/icsma-21-355-01 - Third Party Advisory, US Government Resource () https://www.cisa.gov/uscert/ics/advisories/icsma-21-355-01 - Third Party Advisory, US Government Resource
CVSS v2 : 7.5
v3 : 9.8
v2 : 7.5
v3 : 7.3

Information

Published : 2022-01-21 19:15

Updated : 2024-11-21 05:51


NVD link : CVE-2021-23233

Mitre link : CVE-2021-23233

CVE.ORG link : CVE-2021-23233


JSON object : View

Products Affected

fresenius-kabi

  • agilia_connect
  • vigilant_mastermed
  • link\+_agilia_firmware
  • link\+_agilia
  • vigilant_insight
  • agilia_connect_firmware
  • vigilant_centerium
  • agilia_partner_maintenance_software
CWE
CWE-284

Improper Access Control

CWE-798

Use of Hard-coded Credentials