Reflected Cross-Site Scripting in Front Payment CC in openemr/openemr
Valid
Reported on
Oct 6th 2022
Description
The front_payment_cc.php was not properly encoding parameters cardHolderName and zip when the mode AuthorizeNet is sent. The response was a JSON string including unparsed values that will probably be sent using content-type header as text/html, leaving it vulnerable to XSS.
Proof of Concept
While it was not tested in production environment, it would probably be triggered with a request similar to this:
POST /openemr/interface/patient_file/front_payment_cc.php HTTP/1.1
(...snip...)
Content-Length: 65
mode=AuthorizeNet&zip=<script>alert(1);</script>&cardHolderName=<script>alert(2);</script>&payment=1&dataDescriptor=1&dataValue=1
Impact
The attacker could be able to steal the session cookie, trick the user to enter their credentials or, in general, take control on the web application flow.
Occurrences
We are processing your report and will contact the
openemr
team within 24 hours.
7 months ago
xkulio modified the report
7 months ago
We have contacted a member of the
openemr
team and are waiting to hear back
7 months ago
We have sent a
follow up to the
openemr
team.
We will try again in 7 days.
7 months ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability will not receive a CVE
front_payment_cc.php#L24-L57
has been validated
to join this conversation
