1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Dario Health
- Equipment: USB-C Blood Glucose Monitoring System Starter Kit Android Application, Application Database and Internet-based Server Infrastructure
- Vulnerabilities: Exposure of Private Personal Information to an Unauthorized Actor, Improper Output Neutralization For Logs, Storage of Sensitive Data In a Mechanism Without Access Control, Cleartext Transmission of Sensitive Information, Cross-site Scripting (XSS), Sensitive Cookie Without ‘HttpOnly’ Flag, Exposure of Sensitive Information Due To Incompatible Policies
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to expose information, inject code, manipulate data, or achieve cross-site scripting (XSS), resulting in full session compromise.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Dario Health products are affected:
- USB-C Blood Glucose Monitoring System Starter Kit Android Applications: Versions 5.8.7.0.36 and prior
- Dario Application Database and Internet-based Server Infrastructure: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 EXPOSURE OF PRIVATE PERSONAL INFORMATION TO AN UNAUTHORIZED ACTOR CWE-359
An attacker could expose cross-user Personal Identifiable Information (PII) and personal health information transmitted to the Android device via the Dario Health application database.
CVE-2025-20060 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculate
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: