Stored Cross Site Scripting in openemr/openemr


Reported on

Mar 21st 2022

Vulnerability Type

Stored Cross Site-Scripting (XSS)

Affected URL


Affected Parameters

“form_fname” “form_lname”

###Authentication Required? Yes

Issue Summary

A stored XSS vulnerability found in “/interface/new/new_comprehensive_save.php” that allows authenticated user to inject arbitrary web script in 2 different parameters (form_fname, form_lname). The XSS payload will be fired in the Ledger, History and Transactions tabs from the user’s dashboard if any authenticated user views it.


Ensure to HTML encode before inserting any untrusted data into HTML element content. Ensure all inputs entered by user should be sanitized and validated before processing and storage. Inputs should be filtered by the application, for example removing special characters such as < and > as well as special words such as script.


Aden Yap Chuen Zhen (
Rizan, Sheikh ( Ali Radzali (

Issue Reproduction

Login as any user that has privileges to create new patient. Clinicians should be able to create new patient too. (Click on Patient/Client > Click on New/Search)

1.png Figure 1: Login as Clinicians and Create New Patient

Insert this payload in either these 2 different input boxes. (First Name, Last Name). Then, click on “Create New Patient” and confirm it.


2.png Figure 2: Insert Payload in First Name

We will get into the patient’s dashboard now with the XSS payload stated in the Patient’s name.

3.png Figure 3: Patient’s Dashboard with XSS Payload in Name

The XSS will be fired in the Ledger, History and Transactions tabs but not all roles have the privileges to view it. Login as Administrator or Accounting and click on Ledger tabs of that user. The cookies of the user will be pop out in alert box.

4.png Figure 4: XSS Fired in Ledger Tabs of the User

Click on Transactions tabs of that user. Click on New or Edit any transactions. The cookies of the user will pop out in the alert box.

5.png Figure 5: XSS Fired in Transactions Tabs of the User

Click on History tabs of that user. Click on Edit and the cookies of the user will pop out in the alert box.

6.png Figure 6: XSS Fired in History Tabs of the User

We are processing your report and will contact the openemr team within 24 hours. a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
We have sent a follow up to the openemr team. We will try again in 7 days. a year ago
openemr/openemr maintainer validated this vulnerability a year ago
r00t.pgp has been awarded the disclosure bounty
The fix bounty is now up for grabs
openemr/openemr maintainer
a year ago


This was fixed for 6.0.0 in patch 2 ( This patch was released about 10 months ago.

openemr/openemr maintainer marked this as fixed in with commit 2835cc a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago


Dear @admin I've already ping the maintainer, could you please follow up on the CVE creation? Tq

Dear @maintainer, could you kindly confirm that CVE can be created for this report? Tq

openemr/openemr maintainer
a year ago


Also note that this fix is also in the recently released 6.1.0 version.

I consent to creation of CVE.

Jamie Slome
a year ago


Sorted 👍

to join this conversation