← Advisories

SonicDICOM PACS 2.3.2 Multiple Stored Cross-Site Scripting Vulnerabilities

High
Advisory ID
ZSL-2017-5394
Release Date
11 February 2017
Vendor
JIUN Corporation - https://www.sonicdicom.com
Affected Version
2.3.2 and 2.3.1
CVE
N/A
Tested On
Microsoft-HTTPAPI/2.0
Summary

SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer.

Description

The application suffers from multiple stored XSS vulnerabilities. Input passed to several API POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
sonicdicom_xss.txtTXT
Disclosure Timeline
22.11.2016Vulnerability discovered.
28.11.2016Vendor contacted.
29.11.2016Vendor responds asking more details.
29.11.2016Sent details to the vendor.
30.11.2016Vendor replies.
04.12.2016Asked vendor for status update.
06.12.2016Vendor is checking the issues.
14.12.2016Asked vendor for confirmation of the issues.
14.12.2016Meanwhile, vendor releases version 2.3.2 which fixes a bug in DICOM comm.
15.12.2016Vendor confirms the issues, scheduling patch in April 2017.
26.01.2017Asked vendor for status update.
27.01.2017Vendor replies.
11.02.2017Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/41309/
[2]https://cxsecurity.com/issue/WLB-2017020111
[3]https://packetstormsecurity.com/files/141042
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/121957
Changelog
11.02.2017Initial release
18.02.2017Added reference [1], [2], [3] and [4]