CVE-2024-22725: 
Linux Debian vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in Orthanc versions before 1.12.2. The vulnerability was present in the server's error reporting functionality (NVD). The issue was identified and reported by Sébastien Doria from Vumetric Cybersecurity (Orthanc News).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting). It has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it requires user interaction and can potentially lead to limited information disclosure and limited impact on integrity (NVD).

The vulnerability could allow an attacker to execute malicious scripts in the context of the user's browser when viewing error messages from the Orthanc server. This could potentially lead to information disclosure and compromise of user session data (NVD).

The vulnerability has been fixed in Orthanc version 1.12.2. The fix includes always including a 'Content-Type' header in HTTP responses with a body and always including 'X-Content-Type-Options: nosniff' to prevent MIME confusion attacks (Orthanc Patch). Users are advised to upgrade to version 1.12.2 or later to address this security issue.