The web server of Microsoft DICOM Server is affected by a js/html injection vulnerability due to DOM injection.
Line 43
let baseUrl = () => {
var version = $("[name='version']:checked").val()
return serverAddressInput.val() + "/" + version
}
Flows into the function getPostUrl:
let getPostUrl = () => {
if (isPartitionEnabled()) {
return baseUrl() + "/" + partitionUrl() + "/studies"
} else {
return baseUrl() + "/studies"
And it finally reaches the sink function that transforms the tainted input into HTML:
serverAddressDisplay.html(getPostUrl())
- MSRC Case 75110 opened on Oct 11 2022.
- On Nov 7 2022, I was informed they were not going to fix this issue:
Dear Finder, Thank you again for your submission to MSRC. Our engineers have investigated the report and we have informed the appropriate team about the issues you reported. However, as this issue is of Moderate severity, we have determined that it does not require immediate security service. A fix for this issue will be considered in a future version of this product. At this time, we will not be providing ongoing updates of the status of the fix, as the case does not meet the bar for servicing by MSRC. So, we have closed this case.
- I discovered that they issued a patch on Oct 21, 2022, without telling me.
- Oh well, Microsoft being Microsoft once again...