CVE-2025-58095
📋 TL;DR
This vulnerability allows attackers to execute arbitrary JavaScript code in users' browsers by tricking them into clicking specially crafted malicious URLs. It affects MedDream PACS Premium installations where the config.php functionality is accessible. The attack targets the imagedir parameter through reflected cross-site scripting.
💻 Affected Systems
- MedDream PACS Premium
📦 What is this software?
Pacs Server by Meddream
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deploy additional malware payloads.
Likely Case
Session hijacking, credential theft, or defacement of the application interface through injected content.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though some client-side disruption may still occur.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but no authentication. Attack vectors include phishing emails or malicious websites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271
Restart Required: No
Instructions:
1. Monitor MedDream vendor for security updates. 2. Apply patches when available. 3. Test in non-production environment first.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation and sanitization of the imagedir parameter in config.php
Implement proper input filtering for the imagedir parameter (e.g., allow only alphanumeric characters and specific safe symbols)
Web Application Firewall Rules
allDeploy WAF rules to block XSS payloads targeting the imagedir parameter
Configure WAF to detect and block patterns like <script>, javascript:, and other XSS indicators in URL parameters
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Restrict access to config.php functionality to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Test by accessing config.php with imagedir parameter containing XSS payload (e.g., ?imagedir=<script>alert('test')</script>)Check Version:
Check MedDream PACS Premium version in administration interface or configuration filesVerify Fix Applied:
Verify that XSS payloads no longer execute and are properly sanitized in output📡 Detection & Monitoring
Log Indicators:
- HTTP requests to config.php with suspicious imagedir parameter values containing script tags or JavaScript code
Network Indicators:
- Unusual outbound connections from MedDream server following suspicious config.php requests
SIEM Query:
source="web_logs" AND uri="*config.php*" AND (param="*<script>*" OR param="*javascript:*" OR param="*onerror=*" OR param="*onload=*")