Stored Cross Site Scripting in openemr/openemr
Mar 21st 2022
Stored Cross Site-Scripting (XSS)
###Authentication Required? Yes
A stored XSS vulnerability found in “/interface/new/new_comprehensive_save.php” that allows authenticated user to inject arbitrary web script in 2 different parameters (form_fname, form_lname). The XSS payload will be fired in the Ledger, History and Transactions tabs from the user’s dashboard if any authenticated user views it.
Ensure to HTML encode before inserting any untrusted data into HTML element content. Ensure all inputs entered by user should be sanitized and validated before processing and storage. Inputs should be filtered by the application, for example removing special characters such as < and > as well as special words such as script.
Aden Yap Chuen Zhen (email@example.com)
Rizan, Sheikh (firstname.lastname@example.org) Ali Radzali (email@example.com)
Login as any user that has privileges to create new patient. Clinicians should be able to create new patient too. (Click on Patient/Client > Click on New/Search)
Insert this payload in either these 2 different input boxes. (First Name, Last Name). Then, click on “Create New Patient” and confirm it.
We will get into the patient’s dashboard now with the XSS payload stated in the Patient’s name.
The XSS will be fired in the Ledger, History and Transactions tabs but not all roles have the privileges to view it. Login as Administrator or Accounting and click on Ledger tabs of that user. The cookies of the user will be pop out in alert box.
Click on Transactions tabs of that user. Click on New or Edit any transactions. The cookies of the user will pop out in the alert box.
Click on History tabs of that user. Click on Edit and the cookies of the user will pop out in the alert box.