Stored HTML injection in Patient chat functionality in openemr/openemr
Dec 25th 2022
I've found out that it is possible to inject HTML code in Patient Chat functionality, which allows malicious code to be stored there and potentially affect the other chat users
Proof of Concept
- Login from the patient portal. I've used the demo instance here: http://demo.openemr.io/openemr/portal/index.php?site=&w-
- Go to the chat functionality and write a Payload like this:
<a href=//evil.com>click here</a>
You'll see that unsanitized HTML code will appear on the chat.
- Click on the link to actually be redirected to the evil site.
In this way it is possible to perform a series of actions ranging from stealing credentials, taking the victim to an arbitrary site, or the possibility of inserting false messages to the victim.