Cross-site Scripting - Reflected in openemr/openemr


Reported on

Aug 2nd 2022


The pricelevel parameter in openemr is vulnerable to reflected XSS

Proof of Concept

  1. Open the web browser to access the website
  2. Access the url: --> Alert box will pop up



If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.


We are processing your report and will contact the openemr team within 24 hours. a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
We have sent a follow up to the openemr team. We will try again in 7 days. a year ago
Brady Miller validated this vulnerability a year ago

Thanks for the report. A preliminary fix has been posted in commit 59458bc15ab0cb556c521de9d5187167d6f88945

Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 1 (, which will likely be in about 1-3 weeks. After I do that, then will be ok to make CVE # and make it public.


Phạm Đăng Chính has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Phạm Đăng Chính
a year ago


Thank Brady, please let me know once the patch is released.

Brady Miller marked this as fixed in with commit 59458b a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Brady Miller
a year ago


OpenEMR patch 1 ( has been released, so this has been fixed. You have permission to make CVE # and make this public.

Phạm Đăng Chính
a year ago


@admin can we assign a CVE to this vulnerability?

Jamie Slome
a year ago


Sorted 👍

to join this conversation