Search
Find a vulnerability
Search criteria
2 vulnerabilities found for Osimis DICOM Web Viewer by Orthanc
CVE-2023-7238 (GCVE-0-2023-7238)
Vulnerability from nvd – Published: 2024-01-23 19:20 – Updated: 2025-06-17 21:19
VLAI
Title
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Orthanc Osimis DICOM Web Viewer
Summary
A XSS payload can be uploaded as a DICOM study and when a user tries to view the infected study inside the Osimis WebViewer the XSS vulnerability gets triggered. If exploited, the attacker will be able to execute arbitrary JavaScript code inside the victim's browser.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cisa.gov/news-events/ics-medical-advi… | government-resource |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | Osimis DICOM Web Viewer |
Affected:
1.4.2.0-9d9eff4
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:57:35.227Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"government-resource",
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-023-01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-24T15:37:12.921629Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:19:26.897Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Osimis DICOM Web Viewer",
"vendor": "Orthanc",
"versions": [
{
"status": "affected",
"version": "1.4.2.0-9d9eff4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Noam Moshe of Claroty Team82"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA XSS payload can be uploaded as a DICOM study and when a user tries to view the infected study inside the Osimis WebViewer the XSS vulnerability gets triggered. If exploited, the attacker will be able to execute arbitrary JavaScript code inside the victim\u0027s browser.\u003c/span\u003e\n\n"
}
],
"value": "\nA XSS payload can be uploaded as a DICOM study and when a user tries to view the infected study inside the Osimis WebViewer the XSS vulnerability gets triggered. If exploited, the attacker will be able to execute arbitrary JavaScript code inside the victim\u0027s browser.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T19:20:02.324Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-023-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eOrthanc recommends users mitigate this vulnerability by updating to the Docker images and Windows installers to Orthanc version 24.1.2 or greater.\u003c/p\u003e\u003cp\u003eReview Orthanc\u0027s \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://discourse.orthanc-server.org/t/osimis-web-viewer-1-4-3/4206\"\u003esecurity bullentin\u003c/a\u003e\u0026nbsp;for more details.\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nOrthanc recommends users mitigate this vulnerability by updating to the Docker images and Windows installers to Orthanc version 24.1.2 or greater.\n\nReview Orthanc\u0027s security bullentin https://discourse.orthanc-server.org/t/osimis-web-viewer-1-4-3/4206 \u00a0for more details.\n\n\n\n\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Orthanc Osimis DICOM Web Viewer",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-7238",
"datePublished": "2024-01-23T19:20:02.324Z",
"dateReserved": "2024-01-22T16:41:11.753Z",
"dateUpdated": "2025-06-17T21:19:26.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7238 (GCVE-0-2023-7238)
Vulnerability from cvelistv5 – Published: 2024-01-23 19:20 – Updated: 2025-06-17 21:19
VLAI
Title
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Orthanc Osimis DICOM Web Viewer
Summary
A XSS payload can be uploaded as a DICOM study and when a user tries to view the infected study inside the Osimis WebViewer the XSS vulnerability gets triggered. If exploited, the attacker will be able to execute arbitrary JavaScript code inside the victim's browser.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cisa.gov/news-events/ics-medical-advi… | government-resource |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | Osimis DICOM Web Viewer |
Affected:
1.4.2.0-9d9eff4
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:57:35.227Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"government-resource",
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-023-01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-24T15:37:12.921629Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:19:26.897Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Osimis DICOM Web Viewer",
"vendor": "Orthanc",
"versions": [
{
"status": "affected",
"version": "1.4.2.0-9d9eff4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Noam Moshe of Claroty Team82"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA XSS payload can be uploaded as a DICOM study and when a user tries to view the infected study inside the Osimis WebViewer the XSS vulnerability gets triggered. If exploited, the attacker will be able to execute arbitrary JavaScript code inside the victim\u0027s browser.\u003c/span\u003e\n\n"
}
],
"value": "\nA XSS payload can be uploaded as a DICOM study and when a user tries to view the infected study inside the Osimis WebViewer the XSS vulnerability gets triggered. If exploited, the attacker will be able to execute arbitrary JavaScript code inside the victim\u0027s browser.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T19:20:02.324Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-023-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eOrthanc recommends users mitigate this vulnerability by updating to the Docker images and Windows installers to Orthanc version 24.1.2 or greater.\u003c/p\u003e\u003cp\u003eReview Orthanc\u0027s \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://discourse.orthanc-server.org/t/osimis-web-viewer-1-4-3/4206\"\u003esecurity bullentin\u003c/a\u003e\u0026nbsp;for more details.\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nOrthanc recommends users mitigate this vulnerability by updating to the Docker images and Windows installers to Orthanc version 24.1.2 or greater.\n\nReview Orthanc\u0027s security bullentin https://discourse.orthanc-server.org/t/osimis-web-viewer-1-4-3/4206 \u00a0for more details.\n\n\n\n\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Orthanc Osimis DICOM Web Viewer",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-7238",
"datePublished": "2024-01-23T19:20:02.324Z",
"dateReserved": "2024-01-22T16:41:11.753Z",
"dateUpdated": "2025-06-17T21:19:26.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}