Reflected XSS in /library/custom_template/share_template.php in openemr/openemr

Valid

Reported on

Mar 30th 2023

Description

There exist a reflected XSS in /library/custom_template/share_template.php in the 'list_id' parameter.

Proof of Concept

http://openemr.local/library/custom_template/share_template.php?list_id=1}});}}alert(1);function%20x(){if(1){a=({a:{a:1

fix

properly sanitize the list_id parameter.

Impact

An XSS can be leveraged to take over arbitrary accounts or make actions on behalf of other users.

We are processing your report and will contact the openemr team within 24 hours. 8 months ago
We have contacted a member of the openemr team and are waiting to hear back 8 months ago
openemr/openemr maintainer has acknowledged this report 8 months ago
Brady Miller validated this vulnerability 8 months ago

This is fixed is in master branch at https://github.com/openemr/openemr/commit/af1ecf78d1342519791bda9d3079e88f7d859015

@tsarsecurity, I am unable to mark this as fixed, since that requires hard-setting a publish date, which I am unable to safely predict. We plan to release OpenEMR 7.0.1 in about 1-3 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve).

thanks for the report @tsarsecurity !

TsarSec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
TsarSec
8 months ago

Researcher

No worries! I appreciate the quick response.

Brady Miller marked this as fixed in 7.0.1 with commit af1ecf 6 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Brady Miller published this vulnerability 6 months ago
share_template.php#L58 has been validated
to join this conversation