Stored HTML injection in Patient chat functionality in openemr/openemr


Reported on

Dec 25th 2022


I've found out that it is possible to inject HTML code in Patient Chat functionality, which allows malicious code to be stored there and potentially affect the other chat users

Proof of Concept

  • Login from the patient portal. I've used the demo instance here:
  • Go to the chat functionality and write a Payload like this:
<a href=//>click here</a>

You'll see that unsanitized HTML code will appear on the chat.


  • Click on the link to actually be redirected to the evil site.



In this way it is possible to perform a series of actions ranging from stealing credentials, taking the victim to an arbitrary site, or the possibility of inserting false messages to the victim.

We are processing your report and will contact the openemr team within 24 hours. a year ago
leorac modified the report
a year ago
leorac modified the report
a year ago
We have contacted a member of the openemr team and are waiting to hear back a year ago
openemr/openemr maintainer has acknowledged this report a year ago
stephen waite
a year ago


Thanks for the report. A preliminary fix has been posted in PR

Please do not create a CVE # or make this vulnerability public at this time. We will make this fix official about 1 week after we release 7.0.0 patch 3 (, which will likely be in about 1-3 weeks. After we do that, then will be ok to make CVE # and make it public.


Brady Miller validated this vulnerability a year ago

This is fixed is in master branch at

@leorac, @admin, I am unable to mark this as fixed, since that requires hard-setting a publish date, which I am unable to safely predict. We plan to release OpenEMR 7.0.1 in about 3-4 weeks, which will include this fix. At that time (after release OpenEMR 7.0.1), we will then mark this issue as fixed (and publish at that time with a cve).

thanks for the report @leorac !

leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Brady Miller marked this as fixed in 7.0.1 with commit c1c080 6 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Brady Miller published this vulnerability 6 months ago
to join this conversation