MedDream PACS Server Premium 6.7.1.1 SQL Injection via email
Description
MedDream PACS Server Premium 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the email parameter. Attackers can submit crafted POST requests to the userSignup.php endpoint with SQL payloads in the email field to extract sensitive database information from the backend MySQL database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in MedDream PACS Server Premium 6.7.1.1 via the email parameter in userSignup.php allows attackers to extract database contents.
Vulnerability
MedDream PACS Server Premium version 6.7.1.1 contains a SQL injection vulnerability in the userSignup.php endpoint [1][2]. The email parameter is not sanitized before being used in SQL queries, allowing an unauthenticated attacker to inject arbitrary SQL commands. The attack is performed via a POST request to userSignup.php with a crafted email value. The vulnerability affects MedDream PACS Server Premium <= 6.7.1.1 [2].
Exploitation
An unauthenticated attacker can exploit the vulnerability by sending a malicious POST request to /Pacs/userSignup.php with a SQL payload in the email parameter [1]. The request can be crafted using a standard HTTP client (e.g., curl or browser with a tool like sqlmap). The example provided includes parameters like hostname, database, username, and firstname, but the injection occurs through the email field. The attacker does not need any prior authentication or special network position, as the endpoint is publicly accessible. A proof of concept using sqlmap demonstrates automated extraction of database names (e.g., dicom, information_schema) [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL queries on the backend MySQL database, leading to information disclosure of sensitive data such as patient information, medical images, and system credentials [1][2]. The CVSS v4 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N) indicates high confidentiality impact, low integrity impact, and no availability impact [2]. The attacker achieves read access to the entire database, potentially extracting all stored records.
Mitigation
As of the available references, no patch or fixed version has been released for MedDream PACS Server Premium [1][2]. The vendor has not published a remediation or workaround. Users of affected versions (<= 6.7.1.1) should restrict network access to the web interface, implement input validation on the email parameter, and monitor for suspicious requests. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 6.7.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the email parameter of userSignup.php allows SQL injection."
Attack vector
An unauthenticated attacker sends a crafted POST request to `/Pacs/userSignup.php` with a malicious SQL payload in the `email` field (and optionally the `username` field). The server does not validate or sanitize the input, so the payload is executed against the backend MySQL database. This allows the attacker to extract arbitrary data, such as database names, table contents, or credentials, without any prior authentication [ref_id=1].
Affected code
The vulnerable endpoint is `/Pacs/userSignup.php`. The `email` parameter (and secondarily the `username` parameter) is not sanitized before being used in SQL queries, allowing injection of arbitrary SQL statements [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a vendor fix or remediation commit. To close the vulnerability, the application must properly sanitize and parameterize the `email` and `username` inputs in `userSignup.php`, using prepared statements or parameterized queries to prevent SQL injection [ref_id=1].
Preconditions
- networkThe attacker must be able to reach the /Pacs/userSignup.php endpoint over HTTP.
- authNo authentication is required; the endpoint is publicly accessible.
- inputThe attacker must send a POST request with a malicious SQL payload in the email parameter.
Reproduction
Send a POST request to `/Pacs/userSignup.php` with a SQL injection payload in the `email` field. Example request (from [ref_id=1]):
``` POST /Pacs/userSignup.php HTTP/1.1 Host: 192.168.6.107 Content-Type: application/x-www-form-urlencoded
hostname=localhost&database=dicom&username=hi&password=hi&firstname=jh&lastname=k23klk3l2&email=test@gmail.com&action=Sign+Up ```
The `email` parameter is vulnerable. Using a tool like sqlmap against this request with `-p email --dbms mysql` will extract database contents [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.exploit-db.com/exploits/45344mitreexploit
- www.vulncheck.com/advisories/meddream-pacs-server-premium-sql-injection-via-emailmitrethird-party-advisory
News mentions
0No linked articles in our index yet.