CVE-2024-22725 is a reflected cross-site scripting (XSS) vulnerability affecting Orthanc versions prior to 1.12.2. Orthanc is an open-source, lightweight DICOM server widely used in medical imaging environments for storing and sharing medical images. The vulnerability resides in the server's error reporting mechanism, where user-supplied input is improperly sanitized before being reflected back in error messages. This flaw allows an attacker to craft a malicious URL or request that, when visited by a user, causes the server to reflect malicious JavaScript code in the error response. Because this is a reflected XSS, the attack requires user interaction, typically by convincing a user to click a specially crafted link. The CVSS v3.1 base score is 6.1, indicating a medium severity. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requires user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact on confidentiality and integrity is low (C:L, I:L), with no impact on availability (A:N). No known exploits are reported in the wild yet, and no official patch links were provided in the source, but the fixed version is 1.12.2. The vulnerability is categorized under CWE-79, which is the standard classification for XSS vulnerabilities. Given Orthanc's role in healthcare environments, this vulnerability could be leveraged to execute malicious scripts in the context of users accessing the server, potentially leading to session hijacking, credential theft, or unauthorized actions within the web interface.

For European organizations, especially healthcare providers and medical imaging centers using Orthanc servers, this vulnerability poses a risk to the confidentiality and integrity of user sessions and data accessed through the web interface. Although the vulnerability does not directly impact availability, successful exploitation could lead to theft of session cookies or credentials, enabling attackers to impersonate legitimate users and access sensitive patient data. This is particularly critical in Europe due to stringent data protection regulations such as GDPR, where unauthorized disclosure of personal health information can lead to severe legal and financial consequences. Additionally, the reflected XSS could be used as a vector for phishing or social engineering attacks targeting medical staff. The medium severity score reflects that while the vulnerability requires user interaction and has limited direct impact, the sensitive nature of the data handled by Orthanc servers amplifies the potential consequences. Organizations relying on Orthanc should consider this vulnerability a significant risk to their web-facing services and patient data confidentiality.

1. Upgrade Orthanc to version 1.12.2 or later, where this vulnerability has been addressed. 2. If immediate upgrade is not feasible, implement web application firewall (WAF) rules to detect and block suspicious input patterns that could trigger reflected XSS in error messages. 3. Harden server configurations to minimize error message verbosity exposed to users, reducing the risk of reflected input. 4. Educate users and administrators about the risks of clicking on untrusted links, especially those targeting internal medical imaging systems. 5. Conduct regular security assessments and penetration testing focused on web interface vulnerabilities to detect similar issues proactively. 6. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the Orthanc server. 7. Monitor logs for unusual access patterns or error requests that could indicate attempted exploitation.