A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges.
The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Datamodule_compactplus | Bbraun | a10 (including) | a10 (including) |
Datamodule_compactplus | Bbraun | a11 (including) | a11 (including) |