Advisory: Cross-Site-Scripting in Papaya Medical Viewer (CVE-2023-33255)
Release of SCHUTZWERK-SA-2022-001
-----BEGIN PGP SIGNED MESSAGE-----
SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer
Further SCHUTZWERK advisories:
Papaya, Research Imaging Institute - University of Texas Health Science Center
User supplied input in the form of DICOM or NIFTI images can be loaded into the
Papaya web application without any kind of sanitization. This allows to inject
executed as soon as the metadata is displayed in the Papaya web application.
the Papaya web application. A risk calculation highly depends on how the Papaya
software is used as a library in the context of a bigger medical web
application. During the discovery of this vulnerability, the web application
which used Papaya allowed to upload and store corresponding images on the web
server and display them to multiple users. It was therefore possible to store
session, leading to a disclosure of sensitive medical data.
A medical web application assessed for security vulnerabilities by SCHUTZWERK
was found to contain a stored cross-site-scripting vulnerability. The
Imaging Institute belonging to the University of Texas Health Science Center.
viewer, supporting DICOM and NIFTI formats, compatible across a range of web
browsers [..]". It can be used stand-alone or integrated into larger medical
applications, has 192 forks and 488 stars on GitHub and was used in at least 50
published academic research papers.
One of the main features is to open medical images of multiple formats, which
can be achieved via the context menu "File - Add image...". Papaya then displays
the image and adds a new icon in the upper right corner of the viewer. This icon
allows to open another context menu to edit the previous opened image as a layer
in multiple ways. The option of interest for the cross-site-scripting
vulnerability is the "Show Header" entry, which allows getting further
information about the medical image.
An example DICOM zip archive was downloaded, extracted and opened in
Papaya. The "Show Header" function shows multiple entries including private
patient data fields like patient ID, name, date of birth and gender.
The DICOM ToolKit (DCMTK) offers multiple tools to analyze, create and edit
DICOM images. The metadata field "Manufacturer" of the previously downloaded
DICOM image was edited with help of the DCMTK tool dcmodify:
DICTPATH=/tmp/share/dcmtk/dicom.dic dcmodify -m
The DCMTK tool dcmdump can be used to verify the manipulated metadata entry:
[..] (0008,0070) LO [<script>alert(1)</script>] # 26, 1 Unknown
Tag & Data [..]
Viewing the header information of the manipulated DICOM image in Papaya executes
SCHUTZWERK decided to publish the still existing vulnerability (commit 4a42701),
since the vendor did not implement any remediation several months after new
contributors have been introduced to the project.
Several mitigation recommendations have been sent to the vendor. These include
common mitigation strategies from OWASP, like escaping user controlled input
As a quick workaround, the context menu, which allows showing header information
can be disabled by setting the variable kioskMode to true.
2020-08-20: Vulnerability discovered 2020-08-20: Vulnerability reported to
2020-09-30: Contacted vendor again
2020-09-30: Vendor responds and asks for mitigation ideas
2020-10-01: Response to vendor with detailed information and mitigation ideas
2020-11-09: Contacted vendor again for any status updates
2022-08-30: Retest of the customer application including the Papaya web
2022-09-21: Notified vendor of intention to publish advisory
2022-10-18: Vendor notified SCHUTZWERK of new contributors who will maintain the
2023-04-19: Informed vendor about publication deadline on May 15, 2023
2023-05-08: Vendor replied with intention to fix vulnerability until May 15,2023
2023-05-15: Vulnerability fixed by vendor
2023-05-26: Advisory published by SCHUTZWERK
The vulnerability was discovered during an assessment by Lennert Preuth of
The information in this security advisory is provided "as is" and without
warranty of any kind. Details of this security advisory may be updated in order
to provide as accurate information as possible. The most recent version of this
security advisory can be found at SCHUTZWERK GmbH's website.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----