Stored XSS in openemr/openemr

Valid

Reported on

Sep 13th 2022


Description

openemr has a feature to customize the "User Manual Link Override" , due to a bad sanitization it allows to put javascript:// scheme which allows to execute javascript code.

Proof of Concept

  1. login with admin
  2. go on Global Settings - Branding
  3. Edit User Manual Link Override Field
  4. insert the payload
  5. logout with admin
  6. login as any user and go on "About OpenEMR"
  7. Click User Manual Button
PAYLOAD:  javascript:alert(document.cookie)

Video PoC StoredXSS

Impact

The impact is JavaScript Code Execution. However, admin privileges are required to edit the vulnerable input fields.

We are processing your report and will contact the openemr team within 24 hours. 8 months ago
We have contacted a member of the openemr team and are waiting to hear back 8 months ago
We have sent a follow up to the openemr team. We will try again in 7 days. 8 months ago
openemr/openemr maintainer has acknowledged this report 8 months ago
Brady Miller validated this vulnerability 8 months ago

A preliminary fix has been posted in commit 4565d8d1eb80c6aa42cf6b1810ba0a64e0f6abde

Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1 week after we release 7.0.0 patch 2 (7.0.0.2), which will likely be in about 2-4 weeks. After I do that, then will be ok to make CVE # and make it public.

Hakiduck has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller gave praise 8 months ago
btw, thanks for the report!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Hakiduck
8 months ago

Researcher


you're welcome!

We have sent a fix follow up to the openemr team. We will try again in 7 days. 7 months ago
We have sent a second fix follow up to the openemr team. We will try again in 10 days. 7 months ago
We have sent a third and final fix follow up to the openemr team. This report is now considered stale. 7 months ago
Brady Miller marked this as fixed in 7.0.0.2 with commit 4565d8 7 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Brady Miller
7 months ago

Maintainer


@admin, very nice feature on the Publish button!

@Hakiduck, plan to "Publish" this about 1 week after we release 7.0.0 patch 2 (7.0.0.2), which will likely be in about 2-4 weeks.

Brady Miller
7 months ago

Maintainer


@admin, looks like there may be a bug on this Publish feature.

I reported that this was Fixed but have not yet clicked the Publish button.

This report now no longer shows up in my dashboard unless i toggle to show all reports. And when I do that, the row for this reports is showing that it has two green check marks and when I hover the two green checkmarks it states that it is "Fixed and Published".

Hoping to ensure this does not go public yet.

Brady Miller
7 months ago

Maintainer


@admin, disregard my above message. I noted the new dashboard UI today (which is very nice btw), which addresses my issues.

Pavlos
7 months ago

Admin


@maintainer thank you that's very nice to hear😊

Hakiduck
7 months ago

Researcher


@admin @mantainer could we get CVE?

Pavlos
7 months ago

Admin


@mike993 we're awaiting the maintainer's approval for that

Brady Miller
7 months ago

Maintainer


Hi, I will use the Publish feature when ready to make public. We are still in progress of releasing patch 2 for 7.0.0 which should be in several weeks, so unable to make public at this time.

Brady Miller published this vulnerability 5 months ago
Hakiduck
5 months ago

Researcher


Hi @admin @mantainer, i saw that the patch is ready and published. could we get CVE now? Thanks

Brady Miller
5 months ago

Maintainer


@admin, ok to assign a CVE. thanks!

Hakiduck
5 months ago

Researcher


@admin

Pavlos
5 months ago

Admin


On it :)

Hakiduck
5 months ago

Researcher


Hi, @admin mantainer said that you can assign CVE to this vuln. Thanks

to join this conversation