Trustwave SpiderLabs Security Advisory TWSL2022-003: Multiple XSS Vulnerabilities in Canon Medical Vitrea View Published: 09/29/22 Version: 1.0 Vendor: Canon Medical (https://anz.medical.canon/) Product: Vitrea View Version affected: All versions of 7.x up until 7.7.6 Product description: Vitrea View is a tool used for viewing medical images and makes use of the DICOM standard. Finding 1: Unauthenticated Reflected XSS In Error Message *****Credit: Jordan Hedges of Trustwave, Avery Warddhana CVE: CVE-2022-37461 CWE: 79 The error page located at /vitrea-view/error/ reflects all input after the /error/ subdirectory back to the user with minor restrictions. Single and double quotes as well as space characters appear to break the reflection but using backticks (`) and using base64 encoding avoids these restrictions and importing remote scripts is possible. Once a user has been coerced into navigating to the affected URL if they have a valid Vitrea View session their session could be used to potentially retrieve patient information, retrieve their stored images or scans and modify their information depending on privileges of the session. The following proof of concept will pop up an alert noting “Script Execution” after replacing HOST with the address of the server hosting the Vitrea View application: https://HOST/vitrea-view/error/Invalid%20session:%20%3Cimg%20src=x%20onerror=alert(atob(%60U2NyaXB0IEV4ZWN1dGlvbg==%60))%3E Finding 2: Authenticated (Administrator Only) Reflected XSS In Administrative Panel *****Credit: Jordan Hedges of Trustwave, Avery Warddhana CVE: CVE-2022-37461 CWE: 79 The searched for 'groupID', 'offset' and 'limit' in the 'Group and Users' page of the administration panel all reflect their input back to the user when text is entered instead of the expected numerical inputs. Reflected input is slightly restricted and does not allow spaces but is otherwise unmodified. Once an authenticated admin is coerced into visiting the affected URL it is possible to create and modify the Python, JavaScript and Groovy scripts used by the Vitrea View application. In addition their session could be used to potentially retrieve patient information, retrieve their stored images or scans and modify their information depending on privileges of the session. Other secrets and credentials for other services integrated with Vitrea View may also be accessed. The following proof of concept will pop up an alert noting “Script Execution” after replacing HOST with the address of the server hosting the Vitrea View application: hxxps://HOST/vitrea-view/admin/authorization/users/all?_dc=1637817433453&groupId=%3Cimg/src=%271%27/onerror=alert(0)%3E&search=&page=2&offset=0&limit=18 Vendor Response: Accepted and remediated Remediation Steps: All customers of 7.x to update to the latest release of Vitrea Viewer Revision History: 12/09/21 - Vulnerability disclosed *Unknown - Patch released by vendor in version 7.7.6 04/07/22 – Remediation testing confirmed vulnerability had been patched 09/29/22 - Advisory published About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.