MedDream PACS Premium Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in MedDream PACS Premium version 7.3.6.870, specifically within the downloadZip functionality. This vulnerability allows for the execution of arbitrary JavaScript code. It arises because the 'seq' parameter in the 'Pacs/downloadZip.php' script is not properly sanitized before being outputted in the HTML. An attacker can exploit this by crafting a malicious URL that includes JavaScript code, which is then executed when the URL is accessed.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject and execute malicious JavaScript in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a GET request to 'Pacs/downloadZip.php' with a crafted 'seq' parameter that includes unsanitized HTML or JavaScript. If the 'seq' value is not found in the session, the response will include the injected script, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update to the patched version released by the vendor on December 5, 2025.