Partywave

OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles jsp.java when processed through the Upload DICOM images feature.

**Name of the Vulnerable Software and Affected Versions** Weasis version 4.5.1 **Description** The issue concerns a hardcoded key for symmetric encryption of proxy credentials in the `ui/pref/ProxyPrefView.java` file within the weasis-core component of Weasis. This hardcoded key is used for the symmetric encryption of proxy credentials. **Recommendations** For Weasis version 4.5.1, consider disabling the symmetric encryption of proxy credentials until a patch is available that addresses the hardcoded key issue. Restrict access to the `ui/pref/ProxyPrefView.java` file to minimize the risk of exploitation. Avoid using the hardcoded key for symmetric encryption of proxy credentials in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.