Headline
XSS Flaw in Prevalent Media Imaging Tool Exposes Trove of Patient Data
Bugs in Canon Medical’s Virea View could allow cyberattackers to access several sources of sensitive patient data.
Canon Medical’s Vitrea View is a widely used tool for securely sharing medical images between radiologists, physicians, and other healthcare providers on a patient care team. Two newly discovered vulnerabilities (collectively tracked as CVE-2022-37461) could allow threat actors to access much more than X-rays.
One flaw is an unauthenticated reflected cross-site scripting (XSS) in an error message, according to a new report from Trustwave’s SpiderLabs. Jordan Hedges, the threat researcher behind the finds, said the second is a separate Reflected XSS in the Vitrea View admin panel.
“If exploited, these vulnerabilities could be used to retrieve patient information, stored images, or scans, and modify information, depending on privileges used during the session,” Hedges wrote in a Thursday analysis. “Sensitive information and credentials for various services integrated with Vitrea View could be accessed, as well.”
The Vitrea View meets international Digital Imaging and Communications in Medicine (DICOM) standards, the report notes, and thus integrates with many other things.
“Vitrea View is used to centralize potentially multiple sources and solutions for medical imaging, including X-Rays, MRIs, CRT scans, 3D imaging, etc.," Karl Sigler, senior security research manager at Trustwave SpiderLabs, tells Dark Reading.
He added, "The images are also associated with a patient’s records, so these vulnerabilities means that there could potentially be a wealth of information that might be exfiltrated (damaging a patient’s confidentiality) or modified (swapping a patient’s medical images with another, deleting records, or potentially modifying patient information directly).”
The XSS medical imaging vulnerabilities were submitted to Canon Medial and a patch has been released. Hedges recommends organizations running the tool apply it immediately.
Related news
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
Multiple cross-site scripting (XSS) vulnerabilities in Canon Medical Vitrea View 7.x before 7.7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the input after the error subdirectory to the /vitrea-view/error/ subdirectory, or the (2) groupID, (3) offset, or (4) limit parameter to an Administrative Panel (Group and Users) page. There is a risk of an attacker retrieving patient information.