#VU105346 Sensitive Cookie Without 'HttpOnly' Flag in USB-C Blood Glucose Monitoring System Starter Kit Android Applications and Dario Application Database and Internet-based Server Infrastructure - CVE-2025-24318

Cybersecurity Help s.r.o.

Published: 2025-03-05

Vulnerability identifier: #VU105346

Vulnerability risk: Medium

CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-24318

CWE-ID: CWE-1004

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
USB-C Blood Glucose Monitoring System Starter Kit Android Applications
Mobile applications / Apps for mobile phones
Dario Application Database and Internet-based Server Infrastructure
Other software / Other software solutions

Vendor: DarioHealth Corp

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to cookie policy is observable via built-in browser tools. A remote attacker can gain unauthorized access to user session data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

USB-C Blood Glucose Monitoring System Starter Kit Android Applications: 5.8.7.0.36

Dario Application Database and Internet-based Server Infrastructure: All versions

External links
http://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01
http://www.dariohealth.com/contact/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application