Stored Cross Site Scripting in openemr/openemr

Valid

Reported on

Mar 21st 2022

Vulnerability Type

Stored Cross Site-Scripting (XSS)

Affected URL

https://localhost/openemr-6.0.0/interface/new/new_comprehensive_save.php

Affected Parameters

“form_fname” “form_lname”

###Authentication Required? Yes

Issue Summary

A stored XSS vulnerability found in “/interface/new/new_comprehensive_save.php” that allows authenticated user to inject arbitrary web script in 2 different parameters (form_fname, form_lname). The XSS payload will be fired in the Ledger, History and Transactions tabs from the user’s dashboard if any authenticated user views it.

Recommendation

Ensure to HTML encode before inserting any untrusted data into HTML element content. Ensure all inputs entered by user should be sanitized and validated before processing and storage. Inputs should be filtered by the application, for example removing special characters such as < and > as well as special words such as script.

Credits

Aden Yap Chuen Zhen (chuenzhen.yap2@baesystems.com)
Rizan, Sheikh (rizan.sheikhmohdfauzi@baesystems.com) Ali Radzali (muhammadali.radzali@baesystems.com)

Issue Reproduction

Login as any user that has privileges to create new patient. Clinicians should be able to create new patient too. (Click on Patient/Client > Click on New/Search)

1.png Figure 1: Login as Clinicians and Create New Patient

Insert this payload in either these 2 different input boxes. (First Name, Last Name). Then, click on “Create New Patient” and confirm it.

<script>alert(document.cookie)</script>

2.png Figure 2: Insert Payload in First Name

We will get into the patient’s dashboard now with the XSS payload stated in the Patient’s name.

3.png Figure 3: Patient’s Dashboard with XSS Payload in Name

The XSS will be fired in the Ledger, History and Transactions tabs but not all roles have the privileges to view it. Login as Administrator or Accounting and click on Ledger tabs of that user. The cookies of the user will be pop out in alert box.

4.png Figure 4: XSS Fired in Ledger Tabs of the User

Click on Transactions tabs of that user. Click on New or Edit any transactions. The cookies of the user will pop out in the alert box.

5.png Figure 5: XSS Fired in Transactions Tabs of the User

Click on History tabs of that user. Click on Edit and the cookies of the user will pop out in the alert box.

6.png Figure 6: XSS Fired in History Tabs of the User

We are processing your report and will contact the openemr team within 24 hours. 2 years ago
We have contacted a member of the openemr team and are waiting to hear back 2 years ago
We have sent a follow up to the openemr team. We will try again in 7 days. 2 years ago
openemr/openemr maintainer validated this vulnerability 2 years ago
r00t.pgp has been awarded the disclosure bounty
The fix bounty is now up for grabs
openemr/openemr maintainer
2 years ago

Maintainer

This was fixed for 6.0.0 in patch 2 (6.0.0.2). This patch was released about 10 months ago.

openemr/openemr maintainer marked this as fixed in 6.0.0.2 with commit 2835cc 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
r00t.pgp
2 years ago

Researcher

Dear @admin I've already ping the maintainer, could you please follow up on the CVE creation? Tq

Dear @maintainer, could you kindly confirm that CVE can be created for this report? Tq

openemr/openemr maintainer
2 years ago

Maintainer

Also note that this fix is also in the recently released 6.1.0 version.

I consent to creation of CVE.

Jamie Slome
2 years ago

Admin

Sorted 👍

to join this conversation