Researchers have lately reported a number of vulnerabilities within the software program for the Canon Medical Vitrea View software. Exploiting the issues may expose sufferers’ info and different associated companies to the attacker. Canon Medical patched the problems following the bug reviews, compelling customers to improve their methods to obtain the fixes.
Canon Medical Vitrea View Vulnerabilities
Reportedly, researchers from Trustwave Spiderlabs found two totally different vulnerabilities in Canon Medical Vitrea View software program.
As elaborated of their report, the issues existed within the third-party software program powering the Canon Medical software that facilitates viewing medical photographs. Exploiting the issues may enable an adversary to realize entry to sufferers’ information and different Vitrea View companies.
Particularly, the primary difficulty was a mirrored cross-site scripting (XSS) vulnerability within the error message. The flaw appeared because the error web page at /vitrea-view/error/
mirrored all enter after the /error/
subdirectory to the consumer. Whereas it had some minor restrictions, a geeky consumer may bypass them by way of backticks (`) and base64 encoding, and import distant codes.
The subsequent vulnerability was additionally recognized as a mirrored XSS, nevertheless, it existed within the Vitrea View Administrative panel. Describing this vulnerability, the researchers acknowledged,
“The seek for ‘groupID’, ‘offset’, and ‘restrict’ within the ‘Group and Customers’ web page of the administration panel all mirror their enter again to the consumer when textual content is entered as an alternative of the anticipated numerical inputs. Just like the earlier discovering, the mirrored enter is barely restricted, because it doesn’t enable areas.
Exploiting the vulnerability required an attacker to trick the goal consumer into giving admin panel entry by way of social engineering. An adversary may simply try this by sending a maliciously crafted hyperlink to the sufferer consumer. Then, clicking the hyperlink would give admin management to the attacker.
Upon exploiting the issues, an attacker may view and entry sufferers’ particulars, together with the pictures and scans. Additionally, the adversary may entry credentials for delicate companies and even modify the data in response to the gained privileges.
Canon Medical Patched The Flaws
Following this discovery, Trustwave researchers responsibly disclosed the vulnerabilities to Canon Medical officers. In response, the distributors patched rolled out the patched software program model 7.7.6 for his or her gadgets.
Therefore now, the researchers urge the customers to improve their methods to the most recent software program model to obtain the patches.