Defectul XSS în instrumentul de imagistică media predominant expune teza de date despre pacienți

Canon Medical’s Vitrea View is a widely used tool for securely sharing medical images between radiologists, physicians, and other healthcare providers on a patient care team. Two newly discovered vulnerabilities (collectively tracked as CVE-2022-37461) could allow threat actors to access much more than X-rays. 

Un defect este un neautentificat scriptare reflectată între site-uri (XSS) in an error message, according to a new report from Trustwave’s SpiderLabs. Jordan Hedges, the threat researcher behind the finds, said the second is a separate Reflected XSS in the Vitrea View admin panel. 

“If exploited, these vulnerabilities could be used to retrieve informarea pacientului, stored images, or scans, and modify information, depending on privileges used during the session,” Hedges wrote in a Analiza de joi. “Sensitive information and credentials for various services integrated with Vitrea View could be accessed, as well.”

Vitrea View îndeplinește standardele internaționale de imagistică digitală și comunicații în medicină (DICOM), notează raportul, și astfel se integrează cu multe alte lucruri.

“Vitrea View is used to centralize potentially multiple sources and solutions for medical imaging, including X-Rays, MRIs, CRT scans, 3D imaging, etc.,” Karl Sigler, senior security research manager at Trustwave SpiderLabs, tells Dark Reading. 

He added, “The images are also associated with a patient’s records, so these vulnerabilities means that there could potentially be a wealth of information that might be exfiltrated (damaging a patient’s confidentiality) or modified (swapping a patient’s medical images with another, deleting records, or potentially modifying patient information directly).”

Vulnerabilitățile de imagistică medicală XSS au fost transmise la Canon Medial și a fost lansat un patch. Hedges recomandă organizațiilor care rulează instrumentul să îl aplice imediat.