CVE-2025-20049

Vulnerability

Overview

CVE-2025-20049 is a Cross-site Scripting (XSS) vulnerability present in the Dario Health portal service application. The root cause is improper neutralization of user input in web pages, which allows an attacker to inject malicious scripts. This vulnerability affects the Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application (versions 5.8.7.0.36 and prior) and the associated application database and internet-based server infrastructure [1].

Exploitation

Scenario

An attacker can exploit this XSS vulnerability remotely over a network with low attack complexity. The attacker does not need prior authentication to the portal service to launch the attack. By injecting a malicious script into a web page served to a legitimate user, the attacker can execute code in the context of the user's browser session [1].

Impact

Successful exploitation could allow the attacker to obtain sensitive information, such as session tokens or other data accessible in the user's browser context. The CISA advisory notes that successful exploitation of XSS can result in full session compromise, potentially leading to unauthorized access to the user's account and data [1].

Mitigation

Dario Health has released updates to address this vulnerability. Users and organizations are advised to update the Android application to a version newer than 5.8.7.0.36 and to apply updates to the server infrastructure as recommended by Dario Health [1].