CVE-2022-37461
Description
Multiple cross-site scripting (XSS) vulnerabilities in Canon Medical Vitrea View 7.x before 7.7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the input after the error subdirectory to the /vitrea-view/error/ subdirectory, or the (2) groupID, (3) offset, or (4) limit parameter to an Administrative Panel (Group and Users) page. There is a risk of an attacker retrieving patient information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Canon Medical Vitrea View 7.x before 7.7.6 contains multiple reflected XSS vulnerabilities via error subdirectory or admin panel parameters, risking patient data theft.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in Canon Medical Vitrea View versions 7.x prior to 7.7.6 [1]. An attacker can inject arbitrary web script or HTML through (1) input passed to the /vitrea-view/error/ subdirectory (likely via the URL path after 'error'), or through the (2) groupID, (3) offset, or (4) limit parameters on an Administrative Panel (Group and Users) page. No authentication is required to reach the error subdirectory; the administrative panel pages likely require prior administrator login, but the description does not specify [1].
Exploitation
For the error subdirectory vector, an attacker can craft a URL such as https://target/vitrea-view/error/ and lure a victim (potentially an authenticated user or administrator) to click the link. The injected script executes in the victim's browser session. For the administrative panel parameters, an attacker would need to be on an administrative page and manipulate the groupID, offset, or limit parameters (via a crafted URL or through a cross-site request forgery attack if the victim is already authenticated) [1]. The exact user interaction and authentication requirements are not fully detailed in the available reference, which only describes the vulnerability classes [1].
Impact
Successful exploitation could allow an attacker to execute arbitrary JavaScript within the context of the Vitrea View application. This could lead to session hijacking, theft of sensitive data displayed on administrative pages, or unauthorized actions on behalf of the victim user. Critically, the description notes there is a risk of an attacker retrieving patient information, which would represent a serious breach of protected health information (PHI) [1].
Mitigation
The vendor released version 7.7.6 to address these vulnerabilities. Organizations using Canon Medical Vitrea View 7.x should upgrade to version 7.7.6 or later immediately. No workarounds are mentioned in the available reference [1]. If upgrading is not immediately possible, restricting network access to the administrative panel and educating users about phishing links may reduce risk, but these are not complete mitigations. The CVE is not known to be listed on the CISA KEV catalogue.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Canon Medical/Vitrea Viewdescription
- Range: <7.7.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.trustwave.com/en-us/resources/security-resources/security-advisories/mitrex_refsource_MISC
- www.vitalimages.com/customer-success-support-program/vital-images-software-security-updates/mitrex_refsource_CONFIRM
- www.vitalimages.com/vitrea-vision/vitrea-view/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.