OpenEMR Stored Cross-Site Scripting Vulnerability in Patient Portal Self-Registration

A stored cross-site scripting vulnerability has been identified in OpenEMR versions prior to 8.0.0.1. This issue allows a low-privilege patient portal user to execute arbitrary JavaScript in a staff member's browser session. The vulnerability arises from unsanitized patient names containing HTML markup, which are rendered using jQuery's .html() method in the portal signer modal. The issue originates from the patient self-registration process, where attacker-controlled data can be injected into the database without staff approval.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of a staff member's browser session. This could enable an attacker to perform actions on behalf of the staff user or manipulate clinical records.

Reproduction

To reproduce this vulnerability, enable patient self-registration in OpenEMR and register a new patient with a name containing malicious HTML, such as an image tag with an 'onerror' event. After completing the registration, log into the staff interface and access the patient's record. Open the signature modal, which will render the injected HTML as a DOM element, executing the embedded JavaScript.

Remediation

Users should update to OpenEMR version 8.0.0.1 or later, where this vulnerability has been fixed.