Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in openemr/openemr


Reported on

Mar 21st 2022

Vulnerability Type

Stored Cross Site-Scripting (XSS)

Affected URL

https://localhost/openemr-6.0.0/ /interface/super/rules/index.php?action=edit!submit_summary

Affected Parameters


###Authentication Required? Yes

Issue Summary

Non-privilege users (accounting, front-office) can create new rule and allows them to inject arbitrary web script that led to Stored Cross Site Scripting. This vulnerability found in “/interface/super/rules/index.php?action=edit!submit_summary” on one parameter (fid_title). The XSS payload will be fired in the Plan Rules that can only be viewed by privileged users.


nsure to HTML encode before inserting any untrusted data into HTML element content. Ensure all inputs entered by user should be sanitized and validated before processing and storage. Inputs should be filtered by the application, for example removing special characters such as < and > as well as special words such as script.


Aden Yap Chuen Zhen (

Rizan, Sheikh (

Ali Radzali (

Issue Reproduction

Login to EMR using admin and we can see there is a Rules tab in (Administration > Practice > Rules).

1.png Figure 1: Login as Administrator and Go to Rules tab

Login to EMR using non-privilege users (accountant, front-office) and we can see there is no Rules tab in (Administration > Practice).

2.png Figure 2: Login as Accountant and Check For Rules tab

Using Burp, we intercept the Admin request to add new rules in Rules tab and swap the “OpenEMR” cookie using an Accountant cookie and we are be able to create new rule that contain our XSS payload.

3.png Figure 3: Burp Request Captured Using Accountant Cookie to Create New Rule

The Raw Request looks like:

POST /openemr/interface/super/rules/index.php?action=edit!submit_summary HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
Connection: close
Upgrade-Insecure-Requests: 1
Cookie: OpenEMR=zfLGOSTbtLDyoLLIFMlBPUrBWNNlzrYN5y60Z-BItjBhTNw0;

Go to Rules page (Administration > Practice > Rules) and Click “Go” on Plans Configuration.

4.png Figure 4: Plans & Rules Configuration Page

The XSS will be fired in any Plans configurations. For example, an Admin can select any plans and the cookies of the admin will be pop out in alert box.

5.png Figure 5: XSS Fired in Any Selected Plans

We are processing your report and will contact the openemr team within 24 hours. a year ago
r00t.pgp modified the report
a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
openemr/openemr maintainer has acknowledged this report a year ago
openemr/openemr maintainer validated this vulnerability a year ago
r00t.pgp has been awarded the disclosure bounty
The fix bounty is now up for grabs
openemr/openemr maintainer
a year ago


This has been fixed in .

openemr/openemr maintainer marked this as fixed in with commit 347ad6 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago


Hi, Kindly issue a CVE for this vulnerability. Tq

a year ago


Dear @admin I've already ping the maintainer, could you please follow up on the CVE creation? Tq

Dear @maintainer, could you kindly confirm that CVE can be created for this report? Tq

openemr/openemr maintainer
a year ago


Also note that this fix is also in the recently released 6.1.0 version.

I consent to creation of CVE.

Jamie Slome
a year ago


Sorted 👍

to join this conversation