{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/loris/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33350"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["LORIS"],"_cs_severities":["high"],"_cs_tags":["sql-injection","cve-2026-33350","loris","web-application"],"_cs_type":"advisory","_cs_vendors":["LORIS"],"content_html":"\u003cp\u003eLORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application used for data and project management in neuroimaging research. A SQL injection vulnerability, identified as CVE-2026-33350, affects versions prior to 27.0.3 and 28.0.1. The vulnerability is located in code sections related to the MRI feedback popup window within the imaging browser. An attacker exploiting this flaw could potentially gain unauthorized access to sensitive data or modify existing records stored on the server. Organizations utilizing vulnerable LORIS versions are at risk of data breaches and integrity compromises. Upgrading to version 27.0.3 or 28.0.1 is advised to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a LORIS instance running a vulnerable version (prior to 27.0.3 or 28.0.1).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL payload designed to exploit the injection point within the MRI feedback popup window of the imaging browser.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the SQL payload through a user-supplied input field related to the MRI feedback feature.\u003c/li\u003e\n\u003cli\u003eThe LORIS application, without proper sanitization or input validation, executes the attacker-controlled SQL query against the database.\u003c/li\u003e\n\u003cli\u003eDepending on the injected payload, the attacker can read sensitive data from the database, such as patient information or research data.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could modify existing data, potentially corrupting research results or manipulating patient records.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to escalate privileges within the database or gain access to the underlying operating system, depending on the database configuration and permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-33350) could lead to unauthorized access to sensitive patient data and research information stored within the LORIS system. This could result in violations of privacy regulations (e.g., HIPAA), reputational damage for the affected organization, and potential legal liabilities. Data modification could compromise the integrity of research findings and impact clinical decision-making. While the number of affected installations is unknown, the self-hosted nature of LORIS means that each vulnerable instance is a potential target.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LORIS installations to version 27.0.3 or 28.0.1 to patch CVE-2026-33350 as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures within the LORIS application to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts against LORIS instances.\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious activity targeting the MRI feedback functionality to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T10:00:00Z","date_published":"2024-01-30T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-loris-sql-injection/","summary":"A SQL injection vulnerability exists in LORIS versions prior to 27.0.3 and 28.0.1, allowing attackers to access or alter data via the MRI feedback popup window in the imaging browser.","title":"LORIS SQL Injection Vulnerability (CVE-2026-33350)","url":"https://feed.craftedsignal.io/briefs/2024-01-loris-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-35169"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["LORIS"],"_cs_severities":["high"],"_cs_tags":["xss","cve-2026-35169","loris"],"_cs_type":"advisory","_cs_vendors":["LORIS"],"content_html":"\u003cp\u003eLORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application used for data and project management in neuroimaging research. Versions prior to 27.0.3 and 28.0.1 contain a reflected cross-site scripting (XSS) vulnerability (CVE-2026-35169) in the \u003ccode\u003ehelp_editor\u003c/code\u003e module. The vulnerability stems from the module's failure to properly sanitize user-supplied variables. An attacker could exploit this by crafting a malicious link and tricking a user into clicking it, leading to arbitrary script execution in the user's browser. Additionally, the same input vector can be leveraged to download arbitrary markdown files from the unpatched server. Organizations using LORIS should upgrade to version 27.0.3 or 28.0.1 to remediate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable LORIS instance running a version prior to 27.0.3 or 28.0.1.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious URL containing a JavaScript payload in a parameter processed by the \u003ccode\u003ehelp_editor\u003c/code\u003e module. The payload could be designed to steal cookies, redirect the user, or deface the web page.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious URL to a target user via email, social media, or other means.\u003c/li\u003e\n\u003cli\u003eThe target user, believing the link to be legitimate, clicks on the malicious URL.\u003c/li\u003e\n\u003cli\u003eThe user's browser sends a request to the LORIS server, including the malicious JavaScript payload as a parameter.\u003c/li\u003e\n\u003cli\u003eThe LORIS server's \u003ccode\u003ehelp_editor\u003c/code\u003e module fails to properly sanitize the user-supplied input.\u003c/li\u003e\n\u003cli\u003eThe server reflects the unsanitized JavaScript payload back to the user's browser within the HTML response.\u003c/li\u003e\n\u003cli\u003eThe user's browser executes the malicious JavaScript code, enabling the attacker to perform actions within the context of the user's session or download arbitrary markdown files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the XSS vulnerability (CVE-2026-35169) in LORIS could lead to various detrimental outcomes. An attacker could steal sensitive user session cookies, potentially gaining unauthorized access to the LORIS application and associated data. The attacker could also deface the LORIS website, redirect users to phishing pages, or perform other malicious actions within the user's browser. Furthermore, the ability to download arbitrary markdown files can expose sensitive documentation or configuration details stored on the server, potentially aiding further attacks. Given LORIS's use in managing neuroimaging research data, a successful attack could compromise sensitive patient or research information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade LORIS to version 27.0.3 or 28.0.1 to patch CVE-2026-35169 and prevent exploitation of the XSS vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect attempts to exploit the XSS vulnerability in the LORIS \u003ccode\u003ehelp_editor\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding in the \u003ccode\u003ehelp_editor\u003c/code\u003e module to prevent XSS vulnerabilities in the future.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T12:00:00Z","date_published":"2024-01-28T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-28-loris-xss/","summary":"A reflected cross-site scripting vulnerability (CVE-2026-35169) exists in the LORIS help_editor module due to insufficient sanitization of user-supplied variables, potentially leading to arbitrary markdown file downloads or script execution if a user clicks a crafted link.","title":"LORIS Reflected Cross-Site Scripting Vulnerability (CVE-2026-35169)","url":"https://feed.craftedsignal.io/briefs/2024-01-28-loris-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - LORIS","version":"https://jsonfeed.org/version/1.1"}