Cross site script in openemr/openemr

Valid

Reported on

Jul 24th 2022


Description

In this case a patient is able to execute js scripts in admin's session. further exploitation could lead to admin account takeover

Steps to Repro:-

1. Login here https://demo.openemr.io/openemr/portal
2. Goto my documents and create new insurance form 
3. Add this payload to any selected field "><img src=x onerror=confirm(document.cookie)>
4. Submit this form and goto admin dashboard and goto https://demo.openemr.io/openemr/interface/main/tabs/main.php
And open recently shared document


# Impact

Admin Account Takeover
We are processing your report and will contact the openemr team within 24 hours. 2 months ago
We have contacted a member of the openemr team and are waiting to hear back 2 months ago
We have sent a follow up to the openemr team. We will try again in 7 days. 2 months ago
Brady Miller validated this vulnerability 2 months ago

Thanks for the report. We are now working on a fix for this.

Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller
2 months ago

Maintainer


A preliminary fix has been posted in commit 9327258089a77aec3c5733f99f26d48dc2666f0d

Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 1 (7.0.0.1), which will likely be in about 2-6 weeks. After I do that, then will be ok to make CVE # and make it public.

Thanks!

We have sent a fix follow up to the openemr team. We will try again in 7 days. 2 months ago
Brady Miller confirmed that a fix has been merged on 932725 a month ago
The fix bounty has been dropped
Brady Miller
a month ago

Maintainer


OpenEMR patch 1 (7.0.0.1) has been released, so this has been fixed. You have permission to make CVE # and make this public.

to join this conversation