CVE-2020-29164
Description
PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by cross-site scripting (XSS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- PacsOne Server/PacsOne Serverdescription
- Range: <7.1.1
Patches
Vulnerability mechanics
Root cause
"Missing output sanitization in the web user interface allows injection of arbitrary HTML/JavaScript."
Attack vector
An attacker can inject arbitrary JavaScript into the web user interface of PacsOne Server versions below 7.1.1. The cross-site scripting (XSS) vulnerability is triggered when a victim views crafted input that is not properly sanitized by the application. The advisory does not specify the exact input vector (e.g., URL parameters, form fields, or DICOM metadata) used to deliver the payload [ref_id=1].
Affected code
The advisory does not specify which files or functions are affected. The vendor's download page [ref_id=1] lists version history but does not identify the vulnerable code paths. No patch or researcher write-up detailing specific functions is included in the bundle.
What the fix does
The vendor addressed the XSS vulnerability in PacsOne Server version 7.1.1. No patch diff is included in the bundle, so the specific code changes are unknown. The advisory [ref_id=1] lists version 7.1.1 as the first fixed release but does not describe the remediation steps taken.
Preconditions
- authThe victim must be logged into the PacsOne Server web interface and view a page containing the attacker's crafted input.
- inputThe attacker must be able to submit or inject content (e.g., via a DICOM study, patient record, or URL parameter) that is later rendered by the web UI.
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- gist.github.com/leommxj/0a32afeeaac960682c5b7c9ca8ed070dmitrex_refsource_MISC
- pacsone.net/download.htmmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.