Orthanc Osimis DICOM Web Viewer
Plan Patch7.1ICS-CERT ICSMA-24-023-01Jan 23, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Cross-site scripting (XSS) vulnerability in Osimis WebViewer (Orthanc DICOM viewer) allows an attacker to execute arbitrary JavaScript code in the victim's browser. An attacker could inject malicious JavaScript via a crafted URL or DICOM image link, enabling data theft, session hijacking, or manipulation of displayed medical images. Affects Osimis WebViewer version 1.4.2.0-9d9eff4.
What this means
What could happen
An attacker can inject malicious JavaScript into the Orthanc web viewer, allowing them to steal browser data, modify displayed medical images, or redirect users to phishing sites. This could compromise the integrity of DICOM image review and patient data confidentiality.
Who's at risk
Healthcare facilities and diagnostic imaging centers using Orthanc with the Osimis WebViewer should be concerned. This affects radiologists, clinicians, and IT staff who review DICOM images through the web interface. Any organization running Orthanc 1.4.2.0 or similar versions for medical image storage and viewing is at risk.
How it could be exploited
An attacker crafts a malicious URL or injects JavaScript payload into a DICOM image or link that a user clicks while viewing the Osimis WebViewer. The JavaScript executes in the victim's browser with the permissions of the web viewer application, allowing access to session tokens, patient data, or the ability to manipulate displayed medical images.
Prerequisites
- User must click a malicious link or open a crafted DICOM image in the Osimis WebViewer
- The Orthanc server must be accessible from the user's network or the internet
- User interaction (UI) is required to trigger the attack
Remotely exploitableUser interaction requiredLow complexity attackDefault or common deployment exposed to networkAffects medical imaging and patient data integrity
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Osimis WebViewer: 1.4.2.0-9d9eff41.4.2.0-9d9eff424.1.2 or greater
Remediation & Mitigation
0/5
Do now
0/2HARDENINGRestrict network access to the Orthanc web viewer by placing it behind a firewall and not exposing it to the internet
WORKAROUNDTrain staff not to click links in unsolicited emails or open unexpected attachments, especially those claiming to contain DICOM images
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Orthanc to version 24.1.2 or greater, including Docker images and Windows installers
Long-term hardening
0/2HARDENINGIsolate the Orthanc server on a separate network segment from clinical workstations and business networks
HARDENINGIf remote access to Orthanc is required, use a VPN with authentication and keep VPN software updated
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/9f5c95c4-1006-498f-b842-862cbb3c2892