Marcin Icewall

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** The software contains multiple reflected cross-site scripting (xss) issues within the config.php functionality. A crafted URL can trigger these issues, potentially leading to arbitrary javascript code execution. The `imagedir` parameter is specifically identified as a point of exploitation. **Recommendations** Apply updates to address the identified issues in the config.php functionality.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** A reflected cross-site scripting (xss) issue exists within the `modifyRoute` functionality. A malicious URL can be crafted to execute arbitrary javascript code. An attacker can trigger this by providing a crafted URL. **Recommendations** Apply updates to address the issue in the `modifyRoute` functionality.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** A reflected cross-site scripting issue exists in the `modifyEmail` functionality. A crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** A reflected cross-site scripting (xss) issue exists within the `modifyHL7App` functionality. A crafted malicious URL can result in arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this issue. **Recommendations** Apply updates to address the issue in the `modifyHL7App` functionality.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** The software contains multiple reflected cross-site scripting (xss) issues within the `config.php` functionality. A crafted URL can trigger these issues, potentially leading to arbitrary javascript code execution. The `status` parameter is specifically identified as a point of exploitation. An attacker can provide a malicious URL to exploit these issues. **Recommendations** Apply updates to address the identified issues in the `config.php` functionality.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** The software contains multiple reflected cross-site scripting (xss) issues within the `config.php` functionality. A crafted URL can trigger these issues, potentially leading to arbitrary javascript code execution. The `archivedir` parameter is specifically identified as a point of exploitation. An attacker can provide a malicious URL to trigger these vulnerabilities. **Recommendations** Apply updates to address the identified issues in the `config.php` functionality.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** The software contains multiple reflected cross-site scripting (xss) issues within the `config.php` functionality. An attacker can exploit these issues by providing a crafted URL, potentially leading to arbitrary javascript code execution. The `longtermdir` parameter is specifically identified as a point of exploitation. **Recommendations** Apply updates to address the identified issues in the `config.php` functionality.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** The software contains multiple reflected cross-site scripting (xss) issues within the config.php functionality. An attacker can leverage crafted malicious URLs to execute arbitrary javascript code. The `uploaddir` parameter is susceptible to exploitation via specially crafted URLs. **Recommendations** Apply updates to address the identified issues in the config.php functionality. As a temporary workaround, consider restricting access to the `config.php` functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** The software contains multiple reflected cross-site scripting (XSS) issues within the `config.php` functionality. A malicious URL crafted by an attacker can lead to arbitrary JavaScript code execution. The `thumbnaildir` parameter is specifically identified as a point of exploitation. An attacker can provide a crafted URL to trigger these issues. **Recommendations** Apply updates to address the identified vulnerabilities in version 7.3.6.870.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** The software contains multiple reflected cross-site scripting (xss) issues within the `config.php` functionality. A crafted URL can trigger these issues, potentially leading to arbitrary javascript code execution. The `phpexe` parameter is involved in the exploitation of these issues. **Recommendations** Apply updates to address the identified issues in the `config.php` functionality. As a temporary workaround, consider restricting access to the `config.php` functionality or carefully validating all input to the `phpexe` parameter.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** The software contains multiple reflected cross-site scripting (xss) issues within the `config.php` functionality. A crafted URL can trigger these issues, potentially leading to arbitrary javascript code execution. The `phpdir` parameter is involved in these vulnerabilities. An attacker can provide a malicious URL to exploit the issue. **Recommendations** Apply updates to address the vulnerabilities in the `config.php` functionality. Sanitize user input for the `phpdir` parameter to prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** The software contains multiple reflected cross-site scripting (xss) issues within the config.php functionality. A malicious URL, crafted to exploit these issues, can lead to arbitrary javascript code execution. The `worklistsrc` parameter is specifically identified as a point of exploitation. An attacker can provide a crafted URL to trigger these issues. **Recommendations** Apply updates to address the identified issues in the config.php functionality. As a temporary workaround, sanitize or encode the `worklistsrc` parameter to prevent the execution of arbitrary javascript code.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** A reflected cross-site scripting (xss) issue exists within the `ldapUser` functionality. A malicious URL, specifically crafted, can result in the execution of arbitrary javascript code. An attacker can trigger this by providing a crafted URL. The `ldapUser` functionality is susceptible to this attack. **Recommendations** Apply updates to address the issue in the `ldapUser` functionality.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** A reflected cross-site scripting (xss) issue exists in the sendOruReport functionality. A crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** A reflected cross-site scripting (xss) issue exists in the `fetchPriorStudies` functionality. A crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** A reflected cross-site scripting (xss) issue exists within the downloadZip functionality. A malicious URL can be used to execute arbitrary javascript code. An attacker can provide a crafted URL to trigger this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** A reflected cross-site scripting (xss) issue exists within the `modifyTranscript` functionality. A crafted URL can cause arbitrary javascript code to run. An attacker can provide a malicious URL to trigger this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** A reflected cross-site scripting (xss) issue exists within the `modifyHL7Route` functionality. A crafted URL can cause arbitrary javascript code to run. An attacker can provide a malicious URL to trigger this issue. **Recommendations** Apply updates to address the issue in MedDream PACS Premium version 7.3.6.870.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** An arbitrary file read issue exists in the encapsulatedDoc functionality. A specially crafted HTTP request can lead to unauthorized file access. An attacker can send an HTTP request to the `encapsulatedDoc` endpoint to trigger this issue. The vulnerability allows reading any file on the server. **Recommendations** MedDream PACS Premium version 7.3.6.870: As a temporary workaround, consider disabling the `encapsulatedDoc` endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MedDream PACS Premium version 7.3.6.870 **Description** A reflected cross-site scripting (xss) issue exists within the encapsulatedDoc functionality. A crafted URL can result in arbitrary javascript code execution. An attacker can provide a malicious URL to trigger this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.