CVE-2025-32731 is a reflected cross-site scripting vulnerability identified in MedDream PACS Premium version 7.3.5.860, specifically within the radiationDoseReport.php component. The vulnerability arises due to improper neutralization of user-supplied input during web page generation, classified under CWE-79. An attacker can craft a malicious URL containing JavaScript payloads that, when accessed by a victim, execute arbitrary scripts in the context of the victim's browser session. This can lead to theft of session cookies, user impersonation, or redirection to malicious sites, compromising confidentiality and integrity of user data. The vulnerability does not require authentication but does require user interaction, such as clicking the malicious link. The CVSS v3.1 score of 6.1 reflects a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change indicating that the vulnerability affects resources beyond the initially vulnerable component. No public exploits are currently known, but the presence of this vulnerability in a healthcare PACS system is concerning due to the sensitive nature of medical data handled. The lack of an official patch at the time of reporting necessitates immediate mitigation efforts by administrators.

For European organizations, particularly healthcare providers using MedDream PACS Premium 7.3.5.860, this vulnerability poses a risk of client-side script execution leading to potential session hijacking, unauthorized access to patient data, and manipulation of web application behavior. Given the sensitive nature of medical imaging and patient information managed by PACS systems, exploitation could result in breaches of confidentiality and integrity, violating GDPR and other data protection regulations. The reflected XSS could also be used as a vector for phishing or delivering secondary malware payloads. Although availability is not directly impacted, reputational damage and regulatory penalties could be significant. The medium CVSS score reflects moderate risk, but the healthcare sector's criticality elevates the importance of addressing this vulnerability promptly.

Administrators should monitor MedDream's official channels for patches and apply them immediately upon release. In the interim, implement strict input validation and output encoding on all user-controllable inputs, especially those reflected in radiationDoseReport.php. Deploy Web Application Firewalls (WAFs) with rules to detect and block typical XSS payloads targeting this endpoint. Restrict access to the PACS web interface to trusted networks or VPNs to reduce exposure. Educate users to avoid clicking suspicious links and implement Content Security Policy (CSP) headers to limit the impact of injected scripts. Regularly audit web server logs for unusual requests to radiationDoseReport.php and conduct penetration testing to verify the effectiveness of mitigations.