We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Reflected XSS in interface/forms/eye_mag/js/eye_base.php in openemr/openemr

Valid

Reported on

Mar 30th 2023

Description

There exist a reflected XSS in /interface/forms/eye_mag/js/eye_base.php in the 'providerID' parameter.

Proof of Concept

http://openemr.local/interface/forms/eye_mag/js/eye_base.php?providerID=%3Cimg%20src=x%20onerror=alert(1);%3E

fix

properly sanitize the providerID parameter.

Impact

An XSS can be leveraged to take over arbitrary accounts or make actions on behalf of other users.

We are processing your report and will contact the openemr team within 24 hours. 6 months ago
We have contacted a member of the openemr team and are waiting to hear back 6 months ago
openemr/openemr maintainer has acknowledged this report 6 months ago
Brady Miller
5 months ago

Maintainer

This is fixed in master branch at https://github.com/openemr/openemr/commit/af1ecf78d1342519791bda9d3079e88f7d859015

@tsarsecurity, I am unable to mark this as fixed, since that requires hard-setting a publish date, which I am unable to safely predict. We plan to release OpenEMR 7.0.1 in about 1-3 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve).

thanks for the report @tsarsecurity !

Brady Miller validated this vulnerability 5 months ago
TsarSec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
TsarSec
5 months ago

Researcher

no worries, i hope you can update this report once you publish your next release!

Brady Miller marked this as fixed in 7.0.1 with commit af1ecf 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Brady Miller published this vulnerability 4 months ago
eye_base.php#L372 has been validated
to join this conversation