Stored XSS in openemr/openemr
Reported on
Sep 13th 2022
Description
openemr has a feature to customize the "User Manual Link Override" , due to a bad sanitization it allows to put javascript:// scheme which allows to execute javascript code.
Proof of Concept
- login with admin
- go on Global Settings - Branding
- Edit User Manual Link Override Field
- insert the payload
- logout with admin
- login as any user and go on "About OpenEMR"
- Click User Manual Button
PAYLOAD: javascript:alert(document.cookie)
Video PoC

Impact
The impact is JavaScript Code Execution. However, admin privileges are required to edit the vulnerable input fields.
A preliminary fix has been posted in commit 4565d8d1eb80c6aa42cf6b1810ba0a64e0f6abde
Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 2 (7.0.0.2), which will likely be in about 2-4 weeks. After I do that, then will be ok to make CVE # and make it public.
@admin, very nice feature on the Publish button!
@Hakiduck, plan to "Publish" this about 1 week after we release 7.0.0 patch 2 (7.0.0.2), which will likely be in about 2-4 weeks.
@admin, looks like there may be a bug on this Publish feature.
I reported that this was Fixed but have not yet clicked the Publish button.
This report now no longer shows up in my dashboard unless i toggle to show all reports. And when I do that, the row for this reports is showing that it has two green check marks and when I hover the two green checkmarks it states that it is "Fixed and Published".
Hoping to ensure this does not go public yet.
@admin, disregard my above message. I noted the new dashboard UI today (which is very nice btw), which addresses my issues.
Hi, I will use the Publish feature when ready to make public. We are still in progress of releasing patch 2 for 7.0.0 which should be in several weeks, so unable to make public at this time.
Hi @admin @mantainer, i saw that the patch is ready and published. could we get CVE now? Thanks
Hi, @admin mantainer said that you can assign CVE to this vuln. Thanks
