Reflected XSS in interface/forms/eye_mag/js/eye_base.php in openemr/openemr

Valid

Reported on

Mar 30th 2023


Description

There exist a reflected XSS in /interface/forms/eye_mag/js/eye_base.php in the 'providerID' parameter.

Proof of Concept

http://openemr.local/interface/forms/eye_mag/js/eye_base.php?providerID=%3Cimg%20src=x%20onerror=alert(1);%3E

fix

properly sanitize the providerID parameter.

Impact

An XSS can be leveraged to take over arbitrary accounts or make actions on behalf of other users.

We are processing your report and will contact the openemr team within 24 hours. a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
openemr/openemr maintainer has acknowledged this report 10 months ago
Brady Miller
10 months ago

This is fixed in master branch at https://github.com/openemr/openemr/commit/af1ecf78d1342519791bda9d3079e88f7d859015

@tsarsecurity, I am unable to mark this as fixed, since that requires hard-setting a publish date, which I am unable to safely predict. We plan to release OpenEMR 7.0.1 in about 1-3 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve).

thanks for the report @tsarsecurity !

Brady Miller validated this vulnerability 10 months ago
tsarsecurity has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
TsarSec
10 months ago

Researcher


no worries, i hope you can update this report once you publish your next release!

Brady Miller marked this as fixed in 7.0.1 with commit af1ecf 9 months ago
The fix bounty has been dropped
This vulnerability has now been published 9 months ago
eye_base.php#L372 has been validated
to join this conversation