A critical XSS vulnerability has been identified in Canon Vitrea View medical image imaging software provided by Canon Medikal, which, if exploited, could allow unauthorized access to patient information.
The security vulnerability with code CVE-2022-37461 is caused by insufficient cleaning of the data provided by the user in the error message in the “/vitrea-view/error/” directory. As a result, a remote threat actor can exploit the vulnerability to access patient information or stored images and change the data depending on the privileges used during the session.
The vulnerability affects versions before Vitrea View 7.7.6 and has been fixed with Vitrea View 7.7.6. In this context, all Vitrea View users using 7. x versions are recommended to apply the published updates immediately to avoid being exposed to data breaches that can be carried out using the vulnerability.