The Aperio Eslide Manager application is vulnerable to reflected cross-site scripting (XSS), which primarily affects the Leica Web Viewer within the application. An authenticated user can access the slides within a project and make changes to the associated “memo” fields. The memo field has a hover-over icon that can display a Microsoft Tool Tip, which a user can use to quickly view the memo associated with the slide.
The memo field does not properly sanitize inputs, and an attacker can input a malicious Javascript payload and save it to that field. After saving the malicious payload, hovering over the icon will cause the payload to run. There is a caveat, though, with the "View all Memos" button above the slide decks. Clicking this button will put the malicious payload into a sink, which stores the memo field. If the memo field is placed in the sink, which properly sanitizes input and will not let the payload execute, then the attacker will have to re-save the memo and then not view all memos in order for the payload to execute.
Due to the scope of the assessment, BLS operators are unable to verify whether this bug has been fixed in other versions. To our knowledge, the only affected version is 12.3.2.5030.
The vulnerability has been documented and submitted as CVE-2025-1888 and can be viewed at https://www.cve.org/CVERecord?id=CVE-2025-1888.
Proof of Concept:
1.) Log in as a user with access to view slides. In testing, BLS operators used the research-only guest account. Navigate to the Eslide Manager application by viewing a case.
2.) Click on the memo field and enter the following payload. Remember to hit save.
3.) Hover over the clipboard and see the reflected response.
Timeline:
Discovered vulnerability: October 31st, 2024
Initial report to Leica Biosystems: November 20th, 2024
Secondary notification: February 2nd, 2025
Exited 90-day response period: February 18th, 2025
Public disclosure date: March 14th, 2025