Reflected Cross-Site Scripting in Front Payment CC in openemr/openemr
Reported on
Oct 6th 2022
Description
The front_payment_cc.php
was not properly encoding parameters cardHolderName
and zip
when the mode AuthorizeNet
is sent. The response was a JSON string including unparsed values that will probably be sent using content-type header as text/html
, leaving it vulnerable to XSS.
Proof of Concept
While it was not tested in production environment, it would probably be triggered with a request similar to this:
POST /openemr/interface/patient_file/front_payment_cc.php HTTP/1.1
(...snip...)
Content-Length: 65
mode=AuthorizeNet&zip=<script>alert(1);</script>&cardHolderName=<script>alert(2);</script>&payment=1&dataDescriptor=1&dataValue=1
Impact
The attacker could be able to steal the session cookie, trick the user to enter their credentials or, in general, take control on the web application flow.