OHIF Viewers DICOM
Summary
Successful exploitation of a Server-Side Request Forgery (SSRF) vulnerability in OHIF Viewers DICOM versions prior to v3.12.2 could allow an attacker to steal an authenticated clinician's token via a crafted link. The vulnerability stems from unvalidated URL parameters in DICOMWebProxy and DICOMJSON data sources, which automatically inject the user's OIDC Bearer token into requests.
IFF Assessment
This vulnerability allows an attacker to steal sensitive tokens, which is detrimental to defenders.
Severity
The CVSS score of 8.2 reflects a high severity, indicating that the vulnerability can be exploited remotely with a low attack complexity, leading to sensitive information disclosure and potential further compromise.
Defender Context
Defenders should be aware of this SSRF vulnerability in OHIF Viewers DICOM, particularly in healthcare environments. It's crucial to ensure that affected versions are patched to v3.12.2 or later and to implement the recommended configuration changes if dicomwebproxy or dicomjson are used in authenticated deployments. Monitoring for unusual outbound requests from these viewers could also help detect exploitation.