CVE-2025-4411 is a medium-severity vulnerability classified under CWE-79, which pertains to improper neutralization of input during web page generation, commonly known as Cross-Site Scripting (XSS). This vulnerability affects Dataprom Informatics' PACS-ACSS product versions prior to 16.05.2025. The flaw arises because the application fails to properly sanitize or encode user-supplied input before including it in dynamically generated web pages. As a result, an attacker can inject malicious scripts into the web interface of PACS-ACSS, which will then be executed in the browsers of users who view the affected pages. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) shows that the vulnerability is remotely exploitable over the network without requiring any privileges or user interaction. The impact primarily affects confidentiality (partial data disclosure) and availability (potential service disruption), but does not directly compromise integrity. No known exploits are currently reported in the wild, and no patches have been linked yet. PACS-ACSS is a specialized healthcare software product, likely used for managing medical imaging and associated clinical workflows. The vulnerability could allow attackers to execute arbitrary scripts in the context of the web application, potentially leading to session hijacking, information disclosure, or denial of service through crafted payloads. Given the nature of the product, exploitation could disrupt healthcare operations or expose sensitive patient data.

For European organizations, especially healthcare providers and medical institutions using PACS-ACSS, this vulnerability poses a risk to patient data confidentiality and system availability. Exploitation could enable attackers to steal session tokens or other sensitive information accessible via the web interface, potentially leading to unauthorized access to patient records or administrative functions. Additionally, injected scripts could be used to launch further attacks such as phishing or malware delivery within the trusted healthcare environment. Disruption of PACS-ACSS availability could delay critical diagnostic workflows, impacting patient care. The medium severity rating reflects that while the vulnerability does not allow full system compromise or data integrity manipulation, the confidentiality and availability impacts are significant in a healthcare context. European healthcare organizations are subject to strict data protection regulations such as GDPR, and any data leakage or service disruption could result in legal and reputational consequences. The absence of required privileges or user interaction lowers the barrier for exploitation, increasing the risk profile.

Organizations should prioritize updating PACS-ACSS to version 16.05.2025 or later once the vendor releases a patch addressing this XSS vulnerability. Until a patch is available, implement web application firewalls (WAFs) with custom rules to detect and block typical XSS attack payloads targeting the PACS-ACSS interface. Conduct thorough input validation and output encoding on any user-supplied data within the application environment if customization or integration is possible. Restrict access to the PACS-ACSS web interface to trusted networks and authenticated users only, using network segmentation and VPNs to reduce exposure. Monitor web server and application logs for unusual requests or error patterns indicative of attempted XSS exploitation. Educate healthcare staff about the risks of clicking suspicious links or submitting unexpected input through the PACS-ACSS interface. Finally, prepare incident response plans specific to web application attacks to quickly contain and remediate any exploitation attempts.