Reflected Cross Site Scripting in openemr/openemr
Mar 21st 2022
Reflected Cross Site-Scripting (XSS)
A reflected XSS vulnerability found in “/interface/main/calendar/index.php” that allows Admin user to inject arbitrary web script in one parameter (newname). The XSS payload will be reflected in the Confirmation page after the user click on Save for the new categories in Calendar.
Ensure to HTML encode before inserting any untrusted data into HTML element content. Ensure all inputs entered by user should be sanitized and validated before processing and storage. Inputs should be filtered by the application, for example removing special characters such as < and > as well as special words such as script.
Aden Yap Chuen Zhen (firstname.lastname@example.org)
Rizan, Sheikh (email@example.com) Ali Radzali (firstname.lastname@example.org)
Login as an Admin. Click on Administration > Clinic > Calendar and click on Categories after that.
In New Category, insert this payload in the Name input box. Once done, click on Save.
The XSS will be reflected on the confirmation page with the user cookies.