CVE-2023-3892

Published: Sep 19, 2023

Modified: Sep 25, 2024

PUBLISHED

CVSS v3.1

5.6

MEDIUM

Description

Improper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup. In order to take advantage of this vulnerability, an attacker must craft a malicious XML document, embed this document into specific 3rd party private RTst metadata tags, transfer the now compromised DICOM object to MIM, and force MIM to archive and load the data. Users on either version are strongly encouraged to update to an unaffected version (7.2.11+, 7.3.4+). This issue was found and analyzed by MIM Software's internal security team. We are unaware of any proof of concept or actual exploit available in the wild. For more information, visit https://www.mimsoftware.com/cve-2023-3892 https://www.mimsoftware.com/cve-2023-3892 This issue affects MIM Assistant: 7.2.10, 7.3.3; MIM Client: 7.2.10, 7.3.3.

Vendor	Product	Versions
MIM Software	MIM Assistant	affected `7.2.10` affected `7.3.3`
MIM Software	MIM Client	affected `7.2.10` affected `7.3.3`

Weaknesses (CWE)

CWE-611

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

References

https://www.mimsoftware.com/cve-2023-3892

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-3892

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References