Softneta MedDream PACS Server Premium 6.7.1.1 Directory Traversal
Description
Softneta MedDream PACS Server Premium 6.7.1.1 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the path parameter. Attackers can send requests to nocache.php with encoded backslash sequences to traverse directories and access sensitive files including system configuration and password files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated directory traversal in Softneta MedDream PACS Server Premium 6.7.1.1 allows reading arbitrary files via encoded backslash sequences in nocache.php.
Vulnerability
Softneta MedDream PACS Server Premium version 6.7.1.1 (and possibly earlier versions) contains a directory traversal vulnerability in the nocache.php script. The path parameter is not properly sanitized, allowing an unauthenticated attacker to traverse directories using encoded backslash sequences (e.g., %5c%2e%2e%5c). This enables access to files outside the intended web root. The vulnerability is classified as CWE-22 (Path Traversal) [2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP GET request to the /pacs/nocache.php endpoint with a malicious path parameter. No authentication is required. For example, the request http://TARGET/pacs/nocache.php?path=%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cWindows%5cwin.ini retrieves the Windows win.ini file. Similarly, traversing to ..\..\..\..\..\..\..\MedDreamPACS-Premium\passwords.txt can expose stored credentials [3]. The attack is straightforward and requires only network access to the server.
Impact
Successful exploitation allows an unauthenticated attacker to read arbitrary files from the server's filesystem, including system configuration files, password files, and other sensitive data. This can lead to information disclosure, credential theft, and potentially further compromise of the PACS server and associated systems. The CVSS v4.0 score is 8.7 (High) with vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, indicating high confidentiality impact [2].
Mitigation
As of the publication date of this CVE, no official patch has been identified in the available references. Users should restrict network access to the MedDream PACS Server to trusted hosts only, and consider upgrading to a version beyond 6.7.1.1 if a fixed release exists. The vendor's download page [1] may provide updated versions. Until a patch is applied, the vulnerable nocache.php endpoint should be blocked or removed if not required.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 6.7.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in the `path` parameter of `nocache.php` allows directory traversal via encoded backslash sequences."
Attack vector
An unauthenticated attacker sends an HTTP GET request to `/pacs/nocache.php` (or `/Pacs/nocache.php`) with a crafted `path` parameter [ref_id=1]. The parameter uses URL-encoded backslash (`%5c`) and dot (`%2e`) sequences to traverse directories, e.g., `%5c%2e%2e%5c%2e%2e%5c...` to reach `\Windows\win.ini` [ref_id=1]. Because the server runs on Windows, backslash-based traversal bypasses naive filters that only check for forward slashes. No authentication is required, and the attacker can read arbitrary files on the server filesystem [ref_id=1].
Affected code
The vulnerable endpoint is `nocache.php` in the MedDream PACS Server Premium 6.7.1.1 installation. The `path` parameter is passed directly to file-reading functions without sanitization, allowing directory traversal via encoded backslash sequences such as `%5c` (backslash) and `%2e` (dot) [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a vendor fix or commit diff [ref_id=1]. To remediate, the application must validate and sanitize the `path` parameter in `nocache.php`, rejecting any input containing directory traversal sequences (e.g., `..`, `%2e%2e`, `%5c`) and restricting file access to a predefined whitelist of allowed paths or a dedicated data directory [ref_id=1].
Preconditions
- configThe target must be running Softneta MedDream PACS Server Premium 6.7.1.1
- networkThe attacker must have network access to the web interface (typically port 80 or 443)
- authNo authentication or session is required
- inputThe attacker supplies a crafted 'path' query parameter with encoded traversal sequences
Reproduction
1. Identify a target running Softneta MedDream PACS Server Premium 6.7.1.1. 2. Send a GET request to `http://TARGET/pacs/nocache.php?path=%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cWindows%5cwin.ini` [ref_id=1]. 3. The server returns the contents of `C:\Windows\win.ini`. 4. To read the password file, use: `http://TARGET/pacs/nocache.php?path=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c\MedDreamPACS-Premium\passwords.txt` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/45347mitreexploit
- www.vulncheck.com/advisories/softneta-meddream-pacs-server-premium-directory-traversalmitrethird-party-advisory
- www.softneta.com/products/meddream-pacs-server/downloads.htmlmitreproduct
News mentions
0No linked articles in our index yet.