Cross-site Scripting (XSS) - Stored in openemr/openemr

Valid

Reported on

May 10th 2022

Description

openemr / openemr is vulnerable to Cross-site Scripting (XSS) - Stored

Proof of Concept

// Poc 
<script>alert(document.cookie)</script>

steps to reproduce:

1) login open emr patient portal https://demo.openemr.io/openemr/portal/index.php

2) goto my profile in https://demo.openemr.io/openemr/portal/home.php

3)click on pending review.

4)add the payload in the first name /middle name  (<script>alert(document.cookie)</script>)

5) click  submit changes

6) after that we get an with Error: Patient was successfully updated

7) on clicking  pending review  the xss wil be triggered

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the openemr team within 24 hours. 3 months ago

We have contacted a member of the openemr team and are waiting to hear back 3 months ago

We have sent a follow up to the openemr team. We will try again in 7 days. 3 months ago

bugruto modified the report

2 months ago

We have sent a second follow up to the openemr team. We will try again in 10 days. 2 months ago

A openemr/openemr maintainer validated this vulnerability 2 months ago

bugruto has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A openemr/openemr maintainer

commented 2 months ago

A preliminary fix for this has been placed in our development codebase at https://github.com/openemr/openemr/commit/152e551208e6de534ab194c87e9ffa4d56d294a8

The fix will officially be released in the next OpenEMR 6.1.0 patch 2 (6.1.0.2). After we release this patch, I will then mark this item as fixed (probably in about a month).

bugruto

commented 2 months ago

Researcher

@admin can cve be assigned to this issue?

Jamie Slome

commented 2 months ago

Admin

If the maintainer is happy to proceed, we can assign and publish a CVE for this report 👍

We have sent a fix follow up to the openemr team. We will try again in 7 days. 2 months ago

A openemr/openemr maintainer

commented 2 months ago

Hi, Lets not make this public until we release this fix in our next patch (6.1.0.2), which will likely be in several weeks. I will let you know when we release the patch and will then I will mark this item as officially fixed. thanks.

Jamie Slome

commented 2 months ago

Admin

Great, thanks for the update 👍

We have sent a second fix follow up to the openemr team. We will try again in 10 days. 2 months ago

We have sent a third and final fix follow up to the openemr team. This report is now considered stale. 2 months ago

A openemr/openemr maintainer confirmed that a fix has been merged on 152e55 14 days ago

The fix bounty has been dropped

A openemr/openemr maintainer

commented 14 days ago

This was fixed in OpenEMR 7.0.0, which was just released.

A openemr/openemr maintainer

commented 14 days ago

also, ok to assign cve

Jamie Slome

commented 14 days ago

Admin

Sorted 👍

to join this conversation

We are processing your report and will contact the openemr team within 24 hours. 3 months ago

We have contacted a member of the openemr team and are waiting to hear back 3 months ago

We have sent a follow up to the openemr team. We will try again in 7 days. 3 months ago

bugruto modified the report

2 months ago

We have sent a second follow up to the openemr team. We will try again in 10 days. 2 months ago

A openemr/openemr maintainer validated this vulnerability 2 months ago

bugruto has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A openemr/openemr maintainer

commented 2 months ago

A preliminary fix for this has been placed in our development codebase at https://github.com/openemr/openemr/commit/152e551208e6de534ab194c87e9ffa4d56d294a8

The fix will officially be released in the next OpenEMR 6.1.0 patch 2 (6.1.0.2). After we release this patch, I will then mark this item as fixed (probably in about a month).

bugruto

commented 2 months ago

Researcher

@admin can cve be assigned to this issue?

Jamie Slome

commented 2 months ago

Admin

If the maintainer is happy to proceed, we can assign and publish a CVE for this report 👍

We have sent a fix follow up to the openemr team. We will try again in 7 days. 2 months ago

A openemr/openemr maintainer

commented 2 months ago

Jamie Slome

commented 2 months ago

Admin

Great, thanks for the update 👍

We have sent a second fix follow up to the openemr team. We will try again in 10 days. 2 months ago

We have sent a third and final fix follow up to the openemr team. This report is now considered stale. 2 months ago

A openemr/openemr maintainer confirmed that a fix has been merged on 152e55 14 days ago

The fix bounty has been dropped

A openemr/openemr maintainer

commented 14 days ago

This was fixed in OpenEMR 7.0.0, which was just released.

A openemr/openemr maintainer

commented 14 days ago

also, ok to assign cve

Jamie Slome

commented 14 days ago

Admin

Sorted 👍

to join this conversation