Canon Medical’s Vitrea View is a extensively used device for securely sharing medical pictures between radiologists, physicians, and different healthcare suppliers on a affected person care group. Two newly found vulnerabilities (collectively tracked as CVE-2022-37461) might enable risk actors to entry way more than X-rays.
One flaw is an unauthenticated mirrored cross-site scripting (XSS) in an error message, based on a brand new report from Trustwave’s SpiderLabs. Jordan Hedges, the risk researcher behind the finds, stated the second is a separate Mirrored XSS within the Vitrea View admin panel.
“If exploited, these vulnerabilities could possibly be used to retrieve affected person data, saved pictures, or scans, and modify data, relying on privileges used in the course of the session,” Hedges wrote in a Thursday evaluation. “Delicate data and credentials for numerous companies built-in with Vitrea View could possibly be accessed, as effectively.”
The Vitrea View meets worldwide Digital Imaging and Communications in Drugs (DICOM) requirements, the report notes, and thus integrates with many different issues.
“Vitrea View is used to centralize probably a number of sources and options for medical imaging, together with X-Rays, MRIs, CRT scans, 3D imaging, and many others.,” Karl Sigler, senior safety analysis supervisor at Trustwave SpiderLabs, tells Darkish Studying.
He added, “The photographs are additionally related to a affected person’s data, so these vulnerabilities signifies that there might probably be a wealth of knowledge that could be exfiltrated (damaging a affected person’s confidentiality) or modified (swapping a affected person’s medical pictures with one other, deleting data, or probably modifying affected person data straight).”
The XSS medical imaging vulnerabilities had been submitted to Canon Medial and a patch has been launched. Hedges recommends organizations working the device apply it instantly.