Stored Cross Site Scripting in openemr/openemr
Mar 11th 2022
Stored Cross Site-Scripting (XSS)
A stored XSS vulnerability found in ” /controller.php?practice_settings&document_category&action=add_node&parent_id=XX” that allows authenticated user to inject arbitrary web script in one parameter (name). The XSS payload will be fired in the Patient’s documents list of the affected category name if any authenticated user views it.
Aden Yap Chuen Zhen (email@example.com)
Ensure to HTML encode before inserting any untrusted data into HTML element content. Ensure all inputs entered by user should be sanitized and validated before processing and storage. Inputs should be filtered by the application, for example removing special characters such as < and > as well as special words such as script.
Login as any user that has privileges to add/edit document categories. Accounting should be able to add document categories. (Administration > Practice > Practice Settings)
Click on Add/Edit in any document categories. In this example, we going to add new sub-category in Patient category with our XSS payload. Insert the payload in Category Name and Click on save category once done.
The XSS will be fired in the patient’s documents on the sub-category that we have created before. For example, an Admin can go to any patient’s documents and click on any documents with the same parent category (Patient) of the new sub-category that we created (XSS Payload). The cookies of the admin will be pop out in alert box when click on any document (2021-10-10 payload.txt-21)
This has been fixed in latest patch (patch 4) for 6.0.0, which can be found at https://www.open-emr.org/wiki/index.php/OpenEMR_Patches
Hi, Kindly issue a CVE for this vulnerability. Tq
Dear @admin I've already ping the maintainer, could you please follow up on the CVE creation? Tq
Dear @maintainer, could you kindly confirm that CVE can be created for this report? Tq
Also note that this fix is in the recently released 6.1.0 version.
I consent to creation of CVE.