OpenEMR Stored Cross-Site Scripting Vulnerability in Questionnaire Responses

A stored cross-site scripting vulnerability has been identified in OpenEMR versions prior to 8.0.0. This issue allows authenticated users with the 'Forms administration' role to inject arbitrary JavaScript into the system by entering malicious payloads in questionnaire responses. The injected script is executed automatically when other users with the same role view the form answers in patient encounter pages or visit history. This vulnerability could be exploited to hijack sessions, execute unauthorized actions, or exfiltrate sensitive information such as patient records and credentials.

Impact

Exploitation of this vulnerability allows for the injection of malicious JavaScript that is executed when the form responses are viewed, potentially leading to session hijacking, unauthorized actions, or theft of sensitive information like patient records and credentials.

Reproduction

To reproduce this vulnerability, log into OpenEMR with a user that has the 'Forms administration' role. Create or select a patient and visit, then navigate to the 'Encounter' tab. Select a questionnaire that allows arbitrary input and enter a payload, such as an image tag with an 'onerror' event. After saving, the injected script will execute immediately or when the form is viewed in the visit history.

Remediation

Users can upgrade to OpenEMR version 8.0.0 or later, where this vulnerability has been fixed.