Canon Medical’s Vitrea View is a widely used tool for securely sharing medical images between radiologists, physicians, and other healthcare providers on a patient care team. Two newly discovered vulnerabilities (collectively tracked as CVE-2022-37461) could allow threat actors to access much more than X-rays.
One flaw is an unauthenticated reflected cross-site scripting (XSS) in an error message, according to a new report from Trustwave’s SpiderLabs. Jordan Hedges, the threat researcher behind the finds, said the second is a separate Reflected XSS in the Vitrea View admin panel.
“If exploited, these vulnerabilities could be used to retrieve patient information, stored images, or scans, and modify information, depending on privileges used during the session,” Hedges wrote in a Thursday analysis. “Sensitive information and credentials for various services integrated with Vitrea View could be accessed, as well.”
The Vitrea View meets international Digital Imaging and Communications in Medicine (DICOM) standards, the report notes, and thus integrates with many other things.
“Vitrea View is used to centralize potentially multiple sources and solutions for medical imaging, including X-Rays, MRIs, CRT scans, 3D imaging, etc.,” Karl Sigler, senior security research manager at Trustwave SpiderLabs, tells Dark Reading.
He added, “The images are also associated with a patient’s records, so these vulnerabilities means that there could potentially be a wealth of information that might be exfiltrated (damaging a patient’s confidentiality) or modified (swapping a patient’s medical images with another, deleting records, or potentially modifying patient information directly).”
The XSS medical imaging vulnerabilities were submitted to Canon Medial and a patch has been released. Hedges recommends organizations running the tool apply it immediately.