Arbitrary Code Execution Vulnerability in Sante DICOM Viewer Pro by Sante Group
CVE-2022-28668

7.8HIGH

Key Information:

Vendor: Sante
Status: Dicom Viewer Pro
Vendor: CVE Published:; 3 August 2022

What is CVE-2022-28668?

A vulnerability in Sante DICOM Viewer Pro 11.9.2 allows remote attackers to execute arbitrary code on installations by exploiting a flaw in the parsing of J2K files. The issue arises from inadequate validation of user-supplied data, which can lead to a write past the end of an allocated data structure. This requires user interaction; the target must visit a malicious webpage or open a malicious file to activate the exploit. Successful exploitation allows an attacker to run code within the context of the current process, posing significant security risks.

Affected Version(s)

DICOM Viewer Pro 11.9.2

References

https://www.zerodayinitiative.com/advisories/ZDI-22-622/

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 3, 2022
Vulnerability Reserved
Apr 5, 2022

Credit

Eunice