SonicDICOM PACS 2.3.2 Multiple Stored Cross-Site Scripting Vulnerabilities

Title: SonicDICOM PACS 2.3.2 Multiple Stored Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2017-5394
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (4/5)
Release Date: 11.02.2017
Summary
SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer.
Description
The application suffers from multiple stored XSS vulnerabilities. Input passed to several API POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
JIUN Corporation - https://www.sonicdicom.com
Affected Version
2.3.2 and 2.3.1
Tested On
Microsoft-HTTPAPI/2.0
Vendor Status
[22.11.2016] Vulnerability discovered.
[28.11.2016] Vendor contacted.
[29.11.2016] Vendor responds asking more details.
[29.11.2016] Sent details to the vendor.
[30.11.2016] Vendor replies.
[04.12.2016] Asked vendor for status update.
[06.12.2016] Vendor is checking the issues.
[14.12.2016] Asked vendor for confirmation of the issues.
[14.12.2016] Meanwhile, vendor releases version 2.3.2 which fixes a bug in DICOM comm.
[15.12.2016] Vendor confirms the issues, scheduling patch in April 2017.
[26.01.2017] Asked vendor for status update.
[27.01.2017] Vendor replies.
[11.02.2017] Public security advisory released.
PoC
sonicdicom_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/41309/
[2] https://cxsecurity.com/issue/WLB-2017020111
[3] https://packetstormsecurity.com/files/141042
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/121957
Changelog
[11.02.2017] - Initial release
[18.02.2017] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk