MedDream PACS Premium Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in MedDream PACS Premium version 7.3.6.870. This vulnerability arises in the existingUser functionality, where the 'external' parameter is not properly sanitized before being outputted as HTML. As a result, an attacker can craft a malicious URL that executes arbitrary JavaScript code. The issue is present in the 'Pacs/existingUser.php' script, where the unsanitized parameter value is displayed, allowing for the injection of scripts that could be executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's session.

Reproduction

To reproduce this vulnerability, send a GET request to 'Pacs/existingUser.php' with a crafted 'external' parameter that includes JavaScript code, such as a script tag with an alert function. The injected script will be executed when the response is rendered in the browser.

Remediation

Users are advised to update to the patched version released by the vendor on December 5, 2025.