-----BEGIN PGP SIGNED MESSAGE-----
SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer
Further SCHUTZWERK advisories:
Papaya, Research Imaging Institute - University of Texas Health Science
User supplied input in the form of DICOM or NIFTI images can be loaded
Papaya web application without any kind of sanitization. This allows to
executed as soon as the metadata is displayed in the Papaya web application.
the Papaya web application. A risk calculation highly depends on how the
software is used as a library in the context of a bigger medical web
application. During the discovery of this vulnerability, the web application
which used Papaya allowed to upload and store corresponding images on
server and display them to multiple users. It was therefore possible to
session, leading to a disclosure of sensitive medical data.
A medical web application assessed for security vulnerabilities by
was found to contain a stored cross-site-scripting vulnerability. The
Imaging Institute belonging to the University of Texas Health Science
viewer, supporting DICOM and NIFTI formats, compatible across a range of web
browsers [..]". It can be used stand-alone or integrated into larger medical
applications, has 192 forks and 488 stars on GitHub and was used in at
published academic research papers.
One of the main features is to open medical images of multiple formats,
can be achieved via the context menu "File - Add image...". Papaya then
the image and adds a new icon in the upper right corner of the viewer.
allows to open another context menu to edit the previous opened image as
in multiple ways. The option of interest for the cross-site-scripting
vulnerability is the "Show Header" entry, which allows getting further
information about the medical image.
An example DICOM zip archive was downloaded, extracted and opened in
Papaya. The "Show Header" function shows multiple entries including private
patient data fields like patient ID, name, date of birth and gender.
The DICOM ToolKit (DCMTK) offers multiple tools to analyze, create
DICOM images. The metadata field "Manufacturer" of the previously downloaded
DICOM image was edited with help of the DCMTK tool dcmodify:
DICTPATH=/tmp/share/dcmtk/dicom.dic dcmodify -m
The DCMTK tool dcmdump can be used to verify the manipulated metadata entry:
[..] (0008,0070) LO [<script>alert(1)</script>] # 26, 1
Tag & Data [..]
Viewing the header information of the manipulated DICOM image in Papaya
SCHUTZWERK decided to publish the still existing vulnerability (commit
since the vendor did not implement any remediation several months after new
contributors have been introduced to the project.
Several mitigation recommendations have been sent to the vendor. These
common mitigation strategies from OWASP, like escaping user
As a quick workaround, the context menu, which allows showing header
can be disabled by setting the variable kioskMode to true.
2020-08-20: Vulnerability discovered 2020-08-20: Vulnerability reported to
2020-09-30: Contacted vendor again
2020-09-30: Vendor responds and asks for mitigation ideas
2020-10-01: Response to vendor with detailed information and mitigation
2020-11-09: Contacted vendor again for any status updates
2022-08-30: Retest of the customer application including the Papaya web
2022-09-21: Notified vendor of intention to publish advisory
2022-10-18: Vendor notified SCHUTZWERK of new contributors who will
2023-04-19: Informed vendor about publication deadline on May 15, 2023
2023-05-08: Vendor replied with intention to fix vulnerability until May
2023-05-15: Vulnerability fixed by vendor
2023-05-26: Advisory published by SCHUTZWERK
The vulnerability was discovered during an assessment by Lennert Preuth of
The information in this security advisory is provided "as is" and without
warranty of any kind. Details of this security advisory may be updated
to provide as accurate information as possible. The most recent version
security advisory can be found at SCHUTZWERK GmbH's website.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany
Zertifiziert / Certified ISO 27001, 9001 and TISAX
Phone +49 731 977 191 0
email@example.com / www.schutzwerk.com
Geschäftsführer / Managing Directors:
Jakob Pietzka, Michael Schäfer
Amtsgericht Ulm / HRB 727391
Datenschutz / Data Protection www.schutzwerk.com/datenschutz