When setting the email parameter, Explorer users could enter an email address to receive an email notification. These notifications are stored in the browser and are visible to anyone who browses to the vulnerable website. The XSS issue can be exploited by a malicious third party to perform user data extraction. OpenCATS is a virtual patient booking system for radiology departments. These departments typically have a large number of daily workflows where the creation and completion of various reports and studies are required. These workflows typically require the input of various types of data from different sources. An attacker can leverage XSS in these workflows to inject malicious code into the published reports and studies. This malicious code can be used by an attacker to extract data from the user and exfiltrate it to a remote server.
Conclusion: Take security seriously!
OpenCATS fixed the vulnerability on 12/13/2018.
Explorer users should be wary of visiting the vulnerable website, as they may encounter malicious code injected into their browser by an attacker.
Details of OpenCATS XSS Vulnerability
The XSS vulnerability allows for the injection of malicious JavaScript code into the OpenCATS website. This malicious script is then used to extract data from the user and exfiltrate it to a remote server. The malicious code is injected into reports and studies published by OpenCATS. This means that these workflows are vulnerable to an attack.
Affected Versions/Browser- Chrome, Firefox and Internet Explorer:
OpenCATS was vulnerable in versions before 1.3 (prior to June 13th, 2018).
Summary of The OpenCATS XSS Vulnerability
An attacker can leverage XSS in these workflows to inject malicious code into the published reports and studies. This malicious code can be used by an attacker to extract data from the user and exfiltrate it to a remote server.
Timeline
Published on: 10/19/2022 18:15:00 UTC
Last modified on: 10/20/2022 05:47:00 UTC