An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server.
Attacker can remotely supply crafted input data that is not properly neutralized before being passed to the expression language mechanism. Lack of proper validation and sanitization of this data allows injection and execution of arbitrary expressions on the server side. The attack does not require authentication, user interaction, or fulfillment of any special conditions, making it trivial to carry out.
Attacker gains the ability to remotely execute arbitrary code with the highest privileges on the vulnerable server, leading to complete system takeover, data breach, and potential impact on the network environment.
Apply patches available from the manufacturer according to references published at https://www.bbraun.com/productsecurity
B. Braun products — specific versions indicated in manufacturer references (https://www.bbraun.com/productsecurity)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X