CVE-2025-54157 – A reflected cross-site scripting vulnerability ... (How to Fix)

📋 TL;DR

A reflected cross-site scripting vulnerability in MedDream PACS Premium allows attackers to execute arbitrary JavaScript code by tricking users into clicking a malicious URL. This affects healthcare organizations using MedDream PACS Premium 7.3.6.870 for medical imaging. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

MedDream PACS Premium

Versions: 7.3.6.870

Operating Systems: All platforms running MedDream PACS Premium

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the encapsulatedDoc functionality specifically. All deployments of this version are affected.

📦 What is this software?

Pacs Server by Meddream

View all CVEs affecting Pacs Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals administrator session cookies, gains full system access, exfiltrates patient medical data, and modifies medical images/diagnoses.

🟠

Likely Case

Attacker steals user session cookies to access patient data, redirects users to phishing sites, or performs limited actions within the application.

🟢

If Mitigated

Attack limited to stealing non-sensitive session data if proper input validation and output encoding are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS vulnerabilities are commonly weaponized. Exploitation requires user interaction (clicking malicious link).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Contact MedDream vendor for patch availability
2. Apply patch when available
3. Test in non-production environment first
4. Deploy to production systems

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF with XSS protection rules to block malicious requests

Input Validation

all

Implement strict input validation on encapsulatedDoc parameter

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Deploy reverse proxy with request filtering for encapsulatedDoc parameter

🔍 How to Verify

Check if Vulnerable:

Test encapsulatedDoc parameter with XSS payloads: <script>alert('XSS')</script>

Check Version:

Check MedDream PACS Premium version in administration interface or configuration files

Verify Fix Applied:

Verify input validation sanitizes encapsulatedDoc parameter and output is properly encoded

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing script tags in encapsulatedDoc parameter
Unusual URL patterns with JavaScript code

Network Indicators:

Malicious URLs containing script payloads
Requests to encapsulatedDoc endpoint with suspicious parameters

SIEM Query:

source="web_logs" AND (uri="*encapsulatedDoc*" AND (param="*<script>*" OR param="*javascript:*"))

📊 Metadata

CVE ID: CVE-2025-54157

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (10.4th percentile)

Published: January 20, 2026

Last Updated: January 29, 2026

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2256 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2256 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54157, you might also want to check these: