OpenEMR Stored Cross-Site Scripting Vulnerability in Graphical Pain Map

A stored cross-site scripting vulnerability has been identified in OpenEMR versions prior to 8.0.0.1. This issue allows authenticated clinicians to inject arbitrary JavaScript into the Graphical Pain Map form. The injected script executes in the browsers of users who later view the affected encounter form. The vulnerability arises because session cookies are not marked as HttpOnly, enabling session hijacking of other users, including administrators.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript executes in the context of users viewing the affected form. This, combined with the non-HttpOnly session cookie configuration, enables full session hijacking, unauthorized access to protected health information, and privilege escalation within the application.

Reproduction

To reproduce this vulnerability, log into OpenEMR as an authenticated user with permission to create encounter forms. Open a patient encounter and add a 'Graphical Pain Map' form. Click on the pain map image and enter a payload, such as an image tag with an 'onerror' event, into the 'Detail' textarea. Save the annotation and the form. The injected script will execute when the form is reopened, as the annotation is decoded and injected as raw HTML.

Remediation

Users should update to OpenEMR version 8.0.0.1 or later, where this vulnerability has been fixed.