CVE-2025-55071 is a reflected cross-site scripting (XSS) vulnerability identified in MedDream PACS Premium version 7.3.6.870, a medical imaging software widely used for managing and viewing medical images. The vulnerability exists in the modifyAnonymize functionality, which presumably allows modification or anonymization of patient data within images. The flaw arises from improper neutralization of user-supplied input during web page generation, classified under CWE-79. An attacker can craft a malicious URL containing JavaScript code that is reflected by the application without proper sanitization or encoding. When a victim clicks this URL, the malicious script executes in their browser context, potentially allowing session hijacking, credential theft, or manipulation of displayed data. The vulnerability requires no authentication but does require user interaction to trigger. The CVSS v3.1 score of 6.1 indicates medium severity, with network attack vector, low attack complexity, no privileges required, and user interaction needed. The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. Confidentiality and integrity impacts are low, and availability is unaffected. No known exploits have been reported in the wild, and no official patches have been published yet. This vulnerability highlights the risk of insufficient input validation in healthcare web applications, which can be exploited to compromise sensitive medical data or user sessions.

For European organizations, particularly healthcare providers using MedDream PACS Premium 7.3.6.870, this vulnerability poses a risk of client-side attacks that can compromise user sessions and potentially expose sensitive patient information. Although the direct impact on system availability is none, the confidentiality and integrity of medical data viewed or manipulated through the PACS interface could be affected. Attackers could use this vulnerability to steal authentication tokens, perform actions on behalf of legitimate users, or inject misleading information into medical records. This could undermine trust in healthcare IT systems and lead to regulatory compliance issues under GDPR due to unauthorized data exposure. The requirement for user interaction limits large-scale automated exploitation but targeted phishing campaigns against healthcare staff are plausible. The lack of a patch increases the window of exposure, necessitating immediate mitigation efforts. The vulnerability could also be leveraged as a foothold for further attacks within hospital networks, increasing overall risk.

1. Immediately implement input validation and output encoding on all user-supplied data within the modifyAnonymize functionality to neutralize malicious scripts. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser. 3. Educate healthcare staff about the risks of clicking unknown or suspicious URLs, especially those related to PACS systems. 4. Monitor web server logs for suspicious URL patterns that may indicate attempted exploitation. 5. Isolate PACS web interfaces behind secure VPNs or internal networks to reduce exposure to external attackers. 6. Apply web application firewalls (WAF) with rules targeting reflected XSS attack patterns. 7. Coordinate with MedDream for timely patch deployment once available and test updates in a controlled environment before production rollout. 8. Review and enhance session management to detect and prevent session hijacking attempts. 9. Conduct regular security assessments and penetration testing focused on web application vulnerabilities within healthcare IT infrastructure.