OpenEMR Stored Cross-Site Scripting Vulnerability in Bronchitis Form Component

A stored cross-site scripting vulnerability has been identified in the Bronchitis form component of OpenEMR, affecting versions prior to 7.0.3. This vulnerability allows users who can edit a bronchitis form to inject malicious scripts that could steal credentials from administrators. The issue arises from improper sanitization of user input, particularly in fields related to the appearance of bronchitis symptoms.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed when the form is accessed, potentially leading to the theft of administrative credentials and session tokens.

Reproduction

To reproduce this vulnerability, enable the bronchitis form and open a patient encounter. While editing a bronchitis form, inject a script payload into the 'Bronchitis Ops Appearance' or 'Bronchitis Oropharynx Appearance' fields. After saving the form, reopen it for editing to trigger the execution of the injected script.

Remediation

Users can update to OpenEMR version 7.0.3 or later to address this vulnerability.