CVE-2018-25142

Summary

NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack.

Affected Software

VendorProductVersion RangeStatus
NovaRad CorporationNovaPACS Diagnostics Viewer8.5.19.75affected

Weaknesses

  • CWE-611: Improper Restriction of XML External Entity Reference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References