A stored cross-site scripting (XSS) vulnerability exists in Orthanc Explorer 2 up to version 1.12.0. The flaw resides in the URL handler within `WebApplication/src/components/StudyList.vue`, where the `remote-source` argument is not properly sanitized before rendering. An attacker can inject malicious scripts through this parameter, which execute in the context of a victim's browser session when interacti [truncated]
CVE-2025-0896 affects Orthanc Server versions prior to 1.5.8. According to the CISA CSAF advisory, when remote access is enabled, basic authentication is not enabled by default, which can leave the service open to unauthorized access. The advisory rates the issue CVSS 9.8 (Critical). Orthanc advises updating to the latest version or explicitly enabling HTTP authentication by setting AuthenticationEnabled [truncated]
A stored cross-site scripting (XSS) vulnerability exists in the Orthanc Osimis WebViewer, a DICOM medical imaging viewer used in healthcare environments. The flaw allows an attacker to embed malicious JavaScript payloads within DICOM study metadata. When a healthcare practitioner or administrator subsequently views the compromised study through the web interface, the embedded script executes in the victim [truncated]