OpenEMR DOM-Based Stored Cross-Site Scripting Vulnerability in jQuery SearchHighlight Plugin

A DOM-based stored cross-site scripting vulnerability has been identified in OpenEMR versions prior to 8.0.0.2. The issue resides within the jQuery SearchHighlight plugin, specifically in the file 'library/js/SearchHighlight.js'. This vulnerability allows an authenticated user with write access to encounter forms to inject arbitrary JavaScript. The injected script executes in the browser session of another clinician when they use the search feature on the Custom Report page. The vulnerability arises because the plugin improperly handles HTML entity encoding by reading decoded text from DOM text nodes, merging it into a raw HTML string, and then passing it to jQuery's '$()' constructor for HTML parsing.

Impact

Exploitation of this vulnerability leads to DOM-based stored cross-site scripting, where injected JavaScript executes in the context of another user's browser session.

Reproduction

To reproduce this vulnerability, log into OpenEMR as a user with permission to edit encounter forms. Open a patient encounter and enter a payload containing JavaScript into a free-text field, such as the SOAP notes, alongside a common word. Save the form, then navigate to the patient's Custom Report page. Ensure the injected payload is visible and appears properly escaped. In the report's search box, enter the common word used in the payload and click search. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to OpenEMR version 8.0.0.2 or later, where this vulnerability has been patched.