Stored Cross Site Scripting in openemr/openemr

Valid

Reported on

Mar 21st 2022


Vulnerability Type

Stored Cross Site-Scripting (XSS)

Affected URL

https://localhost/openemr-6.0.0/interface/new/new_comprehensive_save.php

Affected Parameters

“form_fname” “form_lname”

###Authentication Required? Yes

Issue Summary

A stored XSS vulnerability found in “/interface/new/new_comprehensive_save.php” that allows authenticated user to inject arbitrary web script in 2 different parameters (form_fname, form_lname). The XSS payload will be fired in the Ledger, History and Transactions tabs from the user’s dashboard if any authenticated user views it.

Recommendation

Ensure to HTML encode before inserting any untrusted data into HTML element content. Ensure all inputs entered by user should be sanitized and validated before processing and storage. Inputs should be filtered by the application, for example removing special characters such as < and > as well as special words such as script.

Credits

Aden Yap Chuen Zhen (chuenzhen.yap2@baesystems.com)
Rizan, Sheikh (rizan.sheikhmohdfauzi@baesystems.com) Ali Radzali (muhammadali.radzali@baesystems.com)

Issue Reproduction

Login as any user that has privileges to create new patient. Clinicians should be able to create new patient too. (Click on Patient/Client > Click on New/Search)

1.png Figure 1: Login as Clinicians and Create New Patient

Insert this payload in either these 2 different input boxes. (First Name, Last Name). Then, click on “Create New Patient” and confirm it.

<script>alert(document.cookie)</script>

2.png Figure 2: Insert Payload in First Name

We will get into the patient’s dashboard now with the XSS payload stated in the Patient’s name.

3.png Figure 3: Patient’s Dashboard with XSS Payload in Name

The XSS will be fired in the Ledger, History and Transactions tabs but not all roles have the privileges to view it. Login as Administrator or Accounting and click on Ledger tabs of that user. The cookies of the user will be pop out in alert box.

4.png Figure 4: XSS Fired in Ledger Tabs of the User

Click on Transactions tabs of that user. Click on New or Edit any transactions. The cookies of the user will pop out in the alert box.

5.png Figure 5: XSS Fired in Transactions Tabs of the User

Click on History tabs of that user. Click on Edit and the cookies of the user will pop out in the alert box.

6.png Figure 6: XSS Fired in History Tabs of the User

We are processing your report and will contact the openemr team within 24 hours. 2 months ago
We have contacted a member of the openemr team and are waiting to hear back 2 months ago
We have sent a follow up to the openemr team. We will try again in 7 days. 2 months ago
openemr/openemr maintainer validated this vulnerability 2 months ago
r00t.pgp has been awarded the disclosure bounty
The fix bounty is now up for grabs
openemr/openemr maintainer
2 months ago

Maintainer


This was fixed for 6.0.0 in patch 2 (6.0.0.2). This patch was released about 10 months ago.

openemr/openemr maintainer confirmed that a fix has been merged on 2835cc 2 months ago
The fix bounty has been dropped
r00t.pgp
2 months ago

Researcher


Dear @admin I've already ping the maintainer, could you please follow up on the CVE creation? Tq

Dear @maintainer, could you kindly confirm that CVE can be created for this report? Tq

openemr/openemr maintainer
2 months ago

Maintainer


Also note that this fix is also in the recently released 6.1.0 version.

I consent to creation of CVE.

Jamie Slome
2 months ago

Admin


Sorted 👍

to join this conversation