Reflected Cross-Site Scripting in Front Payment CC in openemr/openemr
Valid
Reported on
Oct 6th 2022
Description
The front_payment_cc.php
was not properly encoding parameters cardHolderName
and zip
when the mode AuthorizeNet
is sent. The response was a JSON string including unparsed values that will probably be sent using content-type header as text/html
, leaving it vulnerable to XSS.
Proof of Concept
While it was not tested in production environment, it would probably be triggered with a request similar to this:
POST /openemr/interface/patient_file/front_payment_cc.php HTTP/1.1
(...snip...)
Content-Length: 65
mode=AuthorizeNet&zip=<script>alert(1);</script>&cardHolderName=<script>alert(2);</script>&payment=1&dataDescriptor=1&dataValue=1
Impact
The attacker could be able to steal the session cookie, trick the user to enter their credentials or, in general, take control on the web application flow.
Occurrences
We are processing your report and will contact the
openemr
team within 24 hours.
a year ago
xkulio modified the report
a year ago
We have contacted a member of the
openemr
team and are waiting to hear back
a year ago
We have sent a
follow up to the
openemr
team.
We will try again in 7 days.
a year ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability will not receive a CVE
front_payment_cc.php#L24-L57
has been validated
to join this conversation