OpenEMR Stored Cross-Site Scripting Vulnerability in GAD-7 Form Allows Session Hijacking and Privilege Escalation

A stored cross-site scripting vulnerability has been identified in OpenEMR versions prior to 8.0.0, specifically within the GAD-7 anxiety assessment form. This vulnerability allows authenticated users with clinician privileges to inject malicious JavaScript, which is executed when other users view the form. The issue enables session hijacking, account takeover, and privilege escalation from clinician to administrator.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can steal session tokens of any user viewing the form. This leads to account takeover, granting full access to the victim's account. Additionally, clinicians who exploit this vulnerability can escalate their privileges to gain admin access. The injected payload is stored in the database, causing the XSS to trigger repeatedly.

Reproduction

To reproduce this vulnerability, an authenticated user with clinician privileges must inject a JavaScript payload into the GAD-7 form, specifically targeting the 'control_worry_score' field. After saving the form, the injected script will execute when another user clicks the 'Edit' button on the compromised form, allowing the attacker to hijack the victim's session.

Remediation

Users can update to OpenEMR version 8.0.0 or later, where this vulnerability has been fixed.