CVE-2023-33255

An issue was discovered in Papaya Viewer 1.0.1449. User-supplied input in form of DICOM or NIFTI images can be loaded into the Papaya web application without any kind of sanitization. This allows injection of arbitrary JavaScript code into image metadata, which is executed when that metadata is displayed in the Papaya web application.
Configurations

Configuration 1 (hide)

cpe:2.3:a:uthscsa:papaya_viewer:1.0:*:*:*:*:*:*:*

History

21 Nov 2024, 08:05

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/172644/Papaya-Medical-Viewer-1.0-Cross-Site-Scripting.html - Exploit, Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/172644/Papaya-Medical-Viewer-1.0-Cross-Site-Scripting.html - Exploit, Third Party Advisory, VDB Entry
References () http://seclists.org/fulldisclosure/2023/May/21 - Exploit, Mailing List, Third Party Advisory () http://seclists.org/fulldisclosure/2023/May/21 - Exploit, Mailing List, Third Party Advisory
References () https://schutzwerk.com - Not Applicable () https://schutzwerk.com - Not Applicable
References () https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt - Third Party Advisory () https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt - Third Party Advisory
References () https://www.schutzwerk.com/blog/schutzwerk-sa-2022-001/ - () https://www.schutzwerk.com/blog/schutzwerk-sa-2022-001/ -

09 Jun 2023, 19:15

Type Values Removed Values Added
References
  • (MISC) https://www.schutzwerk.com/blog/schutzwerk-sa-2022-001/ -
Summary An issue was discovered in Papaya Viewer 4a42701. User-supplied input in form of DICOM or NIFTI images can be loaded into the Papaya web application without any kind of sanitization. This allows injection of arbitrary JavaScript code into image metadata, which is executed when that metadata is displayed in the Papaya web application An issue was discovered in Papaya Viewer 1.0.1449. User-supplied input in form of DICOM or NIFTI images can be loaded into the Papaya web application without any kind of sanitization. This allows injection of arbitrary JavaScript code into image metadata, which is executed when that metadata is displayed in the Papaya web application.

02 Jun 2023, 16:07

Type Values Removed Values Added
CWE CWE-79
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1
References (MISC) http://packetstormsecurity.com/files/172644/Papaya-Medical-Viewer-1.0-Cross-Site-Scripting.html - (MISC) http://packetstormsecurity.com/files/172644/Papaya-Medical-Viewer-1.0-Cross-Site-Scripting.html - Exploit, Third Party Advisory, VDB Entry
References (FULLDISC) http://seclists.org/fulldisclosure/2023/May/21 - (FULLDISC) http://seclists.org/fulldisclosure/2023/May/21 - Exploit, Mailing List, Third Party Advisory
References (MISC) https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt - (MISC) https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt - Third Party Advisory
References (MISC) https://schutzwerk.com - (MISC) https://schutzwerk.com - Not Applicable
CPE cpe:2.3:a:uthscsa:papaya_viewer:1.0:*:*:*:*:*:*:*

30 May 2023, 19:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/172644/Papaya-Medical-Viewer-1.0-Cross-Site-Scripting.html -
  • (FULLDISC) http://seclists.org/fulldisclosure/2023/May/21 -

26 May 2023, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-05-26 20:15

Updated : 2024-11-21 08:05


NVD link : CVE-2023-33255

Mitre link : CVE-2023-33255

CVE.ORG link : CVE-2023-33255


JSON object : View

Products Affected

uthscsa

  • papaya_viewer
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')