CVE-2022-37461

Name of the Vulnerable Software and Affected Versions Canon Medical Vitrea View versions 7.x through 7.7.5

Description Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the input after the error subdirectory to the "/vitrea-view/error/" subdirectory, or the groupID, offset, or limit parameter to an Administrative Panel (Group and Users) page. There is a risk of an attacker retrieving patient information.

Recommendations For Canon Medical Vitrea View versions 7.x through 7.7.5, update to version 7.7.6 to resolve the issue. As a temporary workaround, consider restricting access to the "/vitrea-view/error/" subdirectory and the Administrative Panel (Group and Users) page until the update is applied. Avoid using the groupID, offset, or limit parameters in the affected API endpoints until the issue is resolved.