Stored Cross Site Scripting in openemr/openemr
Mar 21st 2022
Stored Cross Site-Scripting (XSS)
###Authentication Required? Yes
A stored XSS vulnerability found in “/interface/new/new_comprehensive_save.php” that allows authenticated user to inject arbitrary web script in 2 different parameters (form_fname, form_lname). The XSS payload will be fired in the Ledger, History and Transactions tabs from the user’s dashboard if any authenticated user views it.
Ensure to HTML encode before inserting any untrusted data into HTML element content. Ensure all inputs entered by user should be sanitized and validated before processing and storage. Inputs should be filtered by the application, for example removing special characters such as < and > as well as special words such as script.
Aden Yap Chuen Zhen (firstname.lastname@example.org)
Rizan, Sheikh (email@example.com) Ali Radzali (firstname.lastname@example.org)
Login as any user that has privileges to create new patient. Clinicians should be able to create new patient too. (Click on Patient/Client > Click on New/Search)
Figure 1: Login as Clinicians and Create New Patient
Insert this payload in either these 2 different input boxes. (First Name, Last Name). Then, click on “Create New Patient” and confirm it.
Figure 2: Insert Payload in First Name
We will get into the patient’s dashboard now with the XSS payload stated in the Patient’s name.
Figure 3: Patient’s Dashboard with XSS Payload in Name
The XSS will be fired in the Ledger, History and Transactions tabs but not all roles have the privileges to view it. Login as Administrator or Accounting and click on Ledger tabs of that user. The cookies of the user will be pop out in alert box.
Figure 4: XSS Fired in Ledger Tabs of the User
Click on Transactions tabs of that user. Click on New or Edit any transactions. The cookies of the user will pop out in the alert box.
Figure 5: XSS Fired in Transactions Tabs of the User
Click on History tabs of that user. Click on Edit and the cookies of the user will pop out in the alert box.
This was fixed for 6.0.0 in patch 2 (18.104.22.168). This patch was released about 10 months ago.
Dear @admin I've already ping the maintainer, could you please follow up on the CVE creation? Tq
Dear @maintainer, could you kindly confirm that CVE can be created for this report? Tq
Also note that this fix is also in the recently released 6.1.0 version.
I consent to creation of CVE.