A new report published by Trustwave Spiderlabs’ team of researchers reveals two reflected cross-site scriptings (XSS) vulnerabilities in Canon Medical’s Vitrea View third-party software, found during a penetration test. The two vulnerabilities are known collectively as CVE-2022-37461.
The Vitrea View tool enables viewing and safely exchanging medical images via the DICOM standard.
What Data Is at Risk?
An attacker can exploit the flaws to gain access to/modify patient information (such as stored images and scans) and gain additional access to some Vitrea View services.
If exploited an attacker could access patient information and obtain additional access to various services associated with Vitrea View.
As explained by Security Affairs, the two problems that could lead to an XSS Attack are:
- The first problem is an unauthenticated Reflected XSS that can be found in an error message at /vitrea-view/error/. This vulnerability can reflect all input after the /error/ subdirectory back to the user, with some minor limitations. The experts discovered that spaces, single and double quotes, and apostrophes can all break a reflection. However, avoiding these limitations and importing remote scripts might be possible with the use of backticks (‘) and base64 encoding.
- Another Reflected XSS problem is present in the Vitrea View Administrative panel. By tricking the victims into clicking on a specially created link, an attacker can gain access to the panel. The experts found that when text is entered instead of the anticipated numerical inputs, the search for “groupID,” “offset,” and “limit” all reflect the user’s input back to them on the “Group and Users” page of the administration panel.
Once an authenticated admin is coerced into visiting the affected URL, it is possible to create and modify the Python, JavaScript and Groovy scripts used by the Vitrea View application.
Additionally, a proof of concept for each vulnerability was released by the experts.
To address the two vulnerabilities, Canon Medical released Vitrea View version 7.7.6.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.