CVE-2018-25142

CRITICAL

NovaRad NovaPACS Diagnostics Viewer <8.5.19.75 - XXE Injection

Title source: llm

Description

NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsxml

https://www.exploit-db.com/exploits/45337

View Code ZIP pw:eip

References (3)

[Various Sources] https://www.novarad.net

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/45337

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5488.php

Scores

CVSS v3 9.8

EPSS 0.0005

EPSS Percentile 15.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-611

Status draft

Timeline

Published Dec 24, 2025

Tracked Since Feb 18, 2026