Primary

Context

Merge PACS Cross-Site Request Forgery Vulnerability

Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in Merge PACS version 7.0. This vulnerability allows attackers to perform unauthorized actions by creating malicious HTML forms that target the merge-viewer endpoint. By submitting POST requests to the summary endpoint with login credentials, attackers can hijack user sessions and gain unauthorized access to the PACS system.

Impact

Exploitation of this vulnerability allows for cross-site request forgery, enabling attackers to perform actions on behalf of authenticated users.

Reproduction

To exploit this vulnerability, create an HTML form that includes the 'amicasUsername' and 'password' fields, along with a 'submitButton' field. The form should be submitted to the '/servlet/actions/merge-viewer/summary' endpoint. Include a valid JSESSIONID cookie to maintain the user session.

Added: Apr 29, 2026, 8:37 PM

Updated: Apr 29, 2026, 8:37 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.5

remediation

0.0

relevance

7.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.5

remediation

0.0

relevance

7.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Merge PACS Cross-Site Request Forgery Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating