OpenEMR Stored Cross-Site Scripting Vulnerability in Dynamic Code Picker

A stored cross-site scripting vulnerability has been identified in OpenEMR versions prior to 8.0.0.1. The issue arises in the dynamic code picker AJAX endpoint, which returns code descriptions (code_text) without proper HTML escaping. This allows an administrator or a user with code management rights to inject malicious scripts into code descriptions. When the code picker is used, the injected script executes in the browser of every user, potentially leading to session theft or unauthorized actions on behalf of the user.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts in code descriptions are executed in the context of the user's OpenEMR session. This could result in session theft or performing actions as the victim. The impact is particularly severe for high-privilege users, such as administrators or clinicians, who use the affected code picker.

Reproduction

To reproduce this vulnerability, log in as a user with the ability to manage code entries, such as an administrator. Create or edit a code entry and insert a description that includes a script, such as an image tag with an error event handler. Once the code is saved, log in as another user and access a form that utilizes the dynamic code picker. The injected script will execute in the context of the user's session.

Remediation

Users are advised to update to OpenEMR version 8.0.0.1 or later, where this vulnerability has been fixed.