PatchSiren cyber security CVE debrief

CVE-2023-7238 Orthanc CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in the Orthanc Osimis WebViewer, a DICOM medical imaging viewer used in healthcare environments. The flaw allows an attacker to embed malicious JavaScript payloads within DICOM study metadata. When a healthcare practitioner or administrator subsequently views the compromised study through the web interface, the embedded script executes in the victim's browser context. This vulnerability carries significant risk in clinical settings where DICOM studies are routinely shared across departments and external institutions, potentially enabling session hijacking, unauthorized access to patient data, or manipulation of medical imaging workflows. The attack requires no authentication and minimal user interaction beyond normal viewing operations.

Vendor: Orthanc
Product: Osimis WebViewer
CVSS: HIGH 7.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-01-23
Original CVE updated: 2024-01-23
Advisory published: 2024-01-23
Advisory updated: 2024-01-23

Who should care

Healthcare delivery organizations, medical imaging departments, PACS administrators, clinical engineering teams, and cybersecurity staff responsible for medical device security should prioritize this vulnerability. The stored nature of the XSS and the routine sharing of DICOM studies across institutional boundaries increases exposure risk. Organizations subject to HIPAA or other healthcare data protection regulations should assess this vulnerability for potential patient data exposure scenarios.

Technical summary

The Orthanc Osimis WebViewer fails to properly sanitize DICOM study metadata before rendering in the browser interface. An attacker can craft a malicious DICOM file containing JavaScript payloads in study tags or metadata fields. When this study is uploaded to an Orthanc instance and subsequently viewed by any user through the Osimis WebViewer, the embedded script executes without additional validation. The vulnerability is exploitable remotely with low complexity, requiring only that a victim view the compromised study. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable component to the broader security context of the victim's browser session.

Defensive priority

HIGH

Recommended defensive actions

Update Orthanc installations to version 24.1.2 or later using official docker images or Windows installers
Review Orthanc's security bulletin for additional technical details and deployment guidance
Implement network segmentation to restrict DICOM traffic to authorized systems only
Validate and sanitize DICOM metadata fields before ingestion into PACS or viewer systems
Enable Content Security Policy (CSP) headers on web viewer deployments where supported
Monitor web viewer access logs for anomalous study viewing patterns or unexpected script execution
Apply principle of least privilege to DICOM upload capabilities, restricting study submission to authenticated and authorized sources
Conduct security awareness training for clinical staff on recognizing suspicious imaging study behavior

Evidence notes

The vulnerability is classified as stored XSS based on CISA's advisory description, which states that malicious payloads are uploaded as DICOM studies and triggered upon viewing. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) indicates network attack vector, low attack complexity, no privileges required, user interaction required, changed scope, and low impacts across confidentiality, integrity, and availability. The affected product is specifically identified as Orthanc Osimis WebViewer: 1.4.2.0-9d9eff4.

Official resources

CVE-2023-7238 was published on January 23, 2024, per CISA's ICS Medical Advisory ICSMA-24-023-01. The vulnerability affects Orthanc Osimis WebViewer version 1.4.2.0-9d9eff4. Orthanc has addressed this issue in version 24.1.2 and later.