Reflected Cross-Site Scripting in Front Payment CC in openemr/openemr

Valid

Reported on

Oct 6th 2022

Description

The front_payment_cc.php was not properly encoding parameters cardHolderName and zip when the mode AuthorizeNet is sent. The response was a JSON string including unparsed values that will probably be sent using content-type header as text/html, leaving it vulnerable to XSS.

Proof of Concept

While it was not tested in production environment, it would probably be triggered with a request similar to this:

POST /openemr/interface/patient_file/front_payment_cc.php HTTP/1.1
(...snip...)
Content-Length: 65

mode=AuthorizeNet&zip=<script>alert(1);</script>&cardHolderName=<script>alert(2);</script>&payment=1&dataDescriptor=1&dataValue=1

Impact

The attacker could be able to steal the session cookie, trick the user to enter their credentials or, in general, take control on the web application flow.

We are processing your report and will contact the openemr team within 24 hours. a year ago
xkulio modified the report
a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
We have sent a follow up to the openemr team. We will try again in 7 days. a year ago
openemr/openemr maintainer has acknowledged this report a year ago
Brady Miller validated this vulnerability a year ago
xkulio has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller marked this as fixed in 7.0.0.2 with commit 37d7ed a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
front_payment_cc.php#L24-L57 has been validated
Brady Miller published this vulnerability a year ago
Brady Miller
a year ago

Maintainer

@admin, please assign a CVE. thanks!

to join this conversation