CVE-2025-46270: MedDream PACS Server XSS Vulnerability

CVE-2025-46270 Overview

CVE-2025-46270 is a reflected cross-site scripting (XSS) vulnerability in the fetchPriorStudies functionality of MedDream PACS Premium 7.3.6.870. The flaw lets an attacker craft a malicious URL that, when visited by an authenticated user, executes arbitrary JavaScript in the victim's browser context. The issue is tracked under [CWE-79] and was disclosed in the Talos Intelligence Vulnerability Report TALOS-2025-2258. MedDream PACS is a Picture Archiving and Communication System used in clinical environments to store and review medical imaging, so successful exploitation can expose sensitive patient data and session material.

Critical Impact

An attacker who lures an authenticated PACS user to a crafted URL can execute JavaScript in the user's browser, hijack the session, and access medical imaging data.

Affected Products

• MedDream PACS Premium 7.3.6.870
• MedDream PACS Server (Premium edition)
• Deployments exposing the fetchPriorStudies endpoint to user-controlled input

Discovery Timeline

• 2026-01-20 - CVE-2025-46270 published to NVD
• 2026-01-29 - Last updated in NVD database

Technical Details for CVE-2025-46270

Vulnerability Analysis

The vulnerability is a reflected XSS in the fetchPriorStudies functionality of MedDream PACS Premium. The application reflects attacker-supplied input from request parameters back into the response without proper output encoding or input sanitization. When a victim opens the crafted URL while authenticated, the injected JavaScript runs under the origin of the PACS application.

The attack requires user interaction and a low-privileged account to be effective. Because the scope is changed, the executed script can affect resources beyond the originally vulnerable component, including session tokens, DICOM study metadata, and any data accessible through the PACS web interface. The confidentiality and integrity impacts are limited but meaningful in a healthcare context where protected health information is involved.

Root Cause

The root cause is improper neutralization of input during web page generation [CWE-79]. The fetchPriorStudies handler embeds request-derived values directly into the HTTP response without context-appropriate encoding. Standard mitigations such as HTML-entity encoding, JavaScript-context escaping, and Content Security Policy enforcement are absent or insufficient on this code path.

Attack Vector

Exploitation is network-based and requires user interaction. An attacker constructs a URL containing a malicious payload aimed at the fetchPriorStudies parameter and delivers it through phishing, chat, or an embedded link on a third-party site. When an authenticated PACS user clicks the link, the server reflects the payload into the rendered page and the browser executes the injected script. Refer to the Talos vulnerability report for proof-of-concept request details.

Detection Methods for CVE-2025-46270

Indicators of Compromise

• HTTP requests to the fetchPriorStudies endpoint containing <script>, javascript:, onerror=, or encoded variants in query parameters
• Web server access logs showing unusually long or encoded values targeting fetchPriorStudies parameters
• Outbound browser requests from PACS user sessions to unfamiliar domains following a click on an external link

Detection Strategies

• Inspect web application firewall (WAF) and reverse proxy logs for reflected XSS signatures aimed at MedDream PACS URLs
• Correlate user-agent and referer fields on fetchPriorStudies requests to identify links originating from external or untrusted sources
• Hunt for session-cookie exfiltration patterns and anomalous API calls following PACS login events

Monitoring Recommendations

• Enable verbose request logging on the PACS web tier and forward logs to a centralized SIEM for retention and search
• Alert on HTTP 200 responses to fetchPriorStudies requests whose parameters contain HTML or JavaScript metacharacters
• Monitor PACS user accounts for unexpected study access, export operations, or configuration changes after suspected XSS delivery

How to Mitigate CVE-2025-46270

Immediate Actions Required

• Restrict access to the MedDream PACS web interface to trusted networks and VPN-connected clinical users
• Apply WAF rules that block reflected XSS payloads on requests targeting fetchPriorStudies
• Notify PACS users to avoid clicking PACS-related links received from untrusted sources until a vendor patch is applied

Patch Information

No vendor advisory or fixed version is referenced in the current NVD entry. Administrators should contact MedDream and monitor the Talos Intelligence Vulnerability Report TALOS-2025-2258 for an updated build of MedDream PACS Premium beyond 7.3.6.870.

Workarounds

• Deploy a strict Content Security Policy that disallows inline scripts and limits script sources on PACS responses
• Require short-lived sessions and re-authentication for sensitive PACS actions to reduce the value of stolen session tokens
• Train clinical staff on phishing risks and provide a reporting channel for suspicious URLs referencing the PACS hostname

# Example NGINX reverse proxy hardening for MedDream PACS
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "no-referrer" always;