Explorer 2
Monthly
Cross-site scripting in Orthanc Explorer 2 versions up to and including 1.12.0 enables remote attackers to inject arbitrary JavaScript into the browser sessions of users who load a crafted URL, via the unsanitized `remote-source` query parameter processed by the StudyList.vue URL Handler. The CVSS 4.3 rating (AV:N/AC:L/PR:N/UI:R/S:U) reflects that no authentication is required of the attacker but victim interaction with a malicious link is necessary - a classic reflected XSS profile. Publicly available exploit code exists per VulDB and a referenced GitHub issue, and an upstream patch commit has been issued, though no officially tagged patched release has been independently confirmed from the canonical repository.
Cross-site scripting in Orthanc Explorer 2 versions up to and including 1.12.0 enables remote attackers to inject arbitrary JavaScript into the browser sessions of users who load a crafted URL, via the unsanitized `remote-source` query parameter processed by the StudyList.vue URL Handler. The CVSS 4.3 rating (AV:N/AC:L/PR:N/UI:R/S:U) reflects that no authentication is required of the attacker but victim interaction with a malicious link is necessary - a classic reflected XSS profile. Publicly available exploit code exists per VulDB and a referenced GitHub issue, and an upstream patch commit has been issued, though no officially tagged patched release has been independently confirmed from the canonical repository.