Philips Vue PACS Improper Input Validation and Coding Standards Vulnerability

A vulnerability exists in Philips Vue PACS versions 12.2.x.x and prior, as well as in Vue MyVue, Vue Speech, and Vue Motion (through 12.2.1.5). The issue arises from the software not adhering to certain coding standards, which can create weaknesses or exacerbate existing vulnerabilities. This lack of proper coding practices has led to several specific vulnerabilities, including improper input validation, cleartext transmission of sensitive information, and cross-site scripting, among others. Successful exploitation could allow unauthorized access, data modification, or code execution, negatively impacting the system's overall integrity and availability.

Impact

The vulnerability could be exploited to eavesdrop on communications, view or modify data, gain unauthorized system access, execute malicious code, install unauthorized software, or disrupt system data integrity, all of which could have serious implications for patient care and data security.

Remediation

Philips has released version 12.2.8.100 in Q1 2022 for PACS that addresses this vulnerability. Users should contact a Philips Sales representative or submit a quote request in the eService portal for assistance with this update.