Reflected Cross-Site Scripting in Front Payment CC in openemr/openemr
Oct 6th 2022
front_payment_cc.php was not properly encoding parameters
zip when the mode
AuthorizeNet is sent. The response was a JSON string including unparsed values that will probably be sent using content-type header as
text/html, leaving it vulnerable to XSS.
Proof of Concept
While it was not tested in production environment, it would probably be triggered with a request similar to this:
POST 1.1 (...snip...) Content-Length: 65 mode=AuthorizeNet&zip=<script>alert(1);</script>&cardHolderName=<script>alert(2);</script>&payment=1&dataDescriptor=1&dataValue=1interface/patient_file/front_payment_cc.php HTTP/
The attacker could be able to steal the session cookie, trick the user to enter their credentials or, in general, take control on the web application flow.