CVE-2018-25298— Merge PACS 7.0 Cross-Site Request Forgery via merge-viewer

Merge PACS 7.0 Cross-Site Request Forgery via merge-viewer

Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Attackers can submit POST requests to /servlet/actions/merge-viewer/summary with login credentials to hijack user sessions and gain unauthorized access to the PACS system.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

跨站请求伪造(CSRF)

Merative Merge PACS 跨站请求伪造漏洞

Merative Merge PACS是美国Merative公司的一个用于整合和管理医学影像数据的影像归档与通信系统。 Merative Merge PACS 7.0版本存在跨站请求伪造漏洞，该漏洞源于跨站请求伪造，可能导致攻击者通过构造恶意HTML表单针对merge-viewer端点执行未授权操作，提交包含登录凭据的POST请求到/servlet/actions/merge-viewer/summary以劫持用户会话并获取对PACS系统的未授权访问。

N/A

N/A