The DICOM Web Viewer Framework is susceptible to an unauthenticated server-side request forgery vulnerability that could allow attackers to perform unauthorized requests on behalf of the server.

This vulnerability involves the failure to validate arbitrary URL parameters within the default configuration of the DICOMWebProxy and DICOMJSON components. This allows an unauthenticated attacker to force the application to make requests to internal or external resources.

A successful exploit could allow attackers to bypass network segmentation, probe internal services, or exfiltrate sensitive data from the internal network. With a CVSS score of 8.2, this high-severity vulnerability poses a significant risk to the confidentiality and integrity of infrastructure hosting medical imaging data.

Immediate Action: Identify and disable the vulnerable DICOMWebProxy and DICOMJSON data sources if they are not strictly required for business operations.

Proactive Monitoring: Review web server and network egress logs for anomalous requests originating from the framework to unauthorized or internal IP addresses.

Compensating Controls: Implement strict egress filtering on the host machine to prevent the application from accessing internal network segments or unauthorized external endpoints.

Public Exploit Available: false

Organizations utilizing this framework should prioritize verifying their configuration against vendor documentation. Given the potential for unauthorized internal network access, applying any available vendor security updates is mandatory to mitigate the risk of lateral movement.