OpenEMR Stored Cross-Site Scripting Vulnerability in Patient Registration

A stored cross-site scripting vulnerability has been identified in OpenEMR versions prior to 7.0.3.4. This vulnerability allows any authenticated user with patient creation privileges to inject arbitrary JavaScript into the system. The injection occurs by entering malicious payloads in the First and Last Name fields during patient registration. The injected code is executed when viewing the patient's encounter under Orders → Procedure Orders.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed automatically when the affected patient record is viewed. This could lead to session hijacking, unauthorized actions, or exfiltration of sensitive data such as patient records or credentials.

Reproduction

To reproduce this vulnerability, log into OpenEMR as an administrator and navigate to the patient registration form. Enter a crafted JavaScript payload, such as an iframe tag sourcing a JavaScript URL, into the First and Last Name fields. After creating the patient, add a new encounter and select 'Orders' > 'Procedure Orders'. The injected JavaScript will be executed, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to OpenEMR version 7.0.3.4 or later, where this vulnerability has been patched.