Description
A security researcher found an XML External Entity (XXE) vulnerability on the Conserus Image Repository archive solution version 2.1.1.105 by McKesson Medical Imaging Company, which is now a Change Healthcare company. An unauthenticated user supplying a modified HTTP SOAP request to the vulnerable service allows for arbitrary file read access to the local file system as well as the transmittal of the application service's account hashed credentials to a remote attacker.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://technical.nttsecurity.com/post/102emjg/conserus-image-repository-xml-external-entity-vulnerability
Scores
CVSS v3
9.8
EPSS
0.0144
EPSS Percentile
69.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-611
Status
published
Products (1)
changehealthcare/conserus_image_repository
2.1.1.105
Published
Dec 15, 2017
Tracked Since
Feb 18, 2026