OpenEMR Stored Cross-Site Scripting Vulnerability in Track Anything Feature

A stored cross-site scripting vulnerability has been identified in OpenEMR versions prior to 8.0.0.1. The issue arises in the Track Anything feature, where user input for track/item names is not properly sanitized before being displayed in Dygraph charts. This allows users with the ability to create or edit Track Anything items to inject scripts that execute when others view the corresponding graph. The vulnerability is present because the application uses innerHTML to render titles and labels without escaping user-controlled content, creating an opportunity for script injection.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of users viewing the affected graphs. This could lead to session theft or performing actions on behalf of the victim, particularly if the user has clinician or admin privileges.

Reproduction

To reproduce this vulnerability, log in as a user who can create or edit Track Anything items. Create a track or item with a name that includes a script tag, such as one that alerts document cookies, or a name that injects script through an attribute, like an 'onmouseover' event. After saving, open the Track Anything graph view for that item. The injected script will execute in the browser when the graph is viewed.

Remediation

Users are advised to update to OpenEMR version 8.0.0.1 or later. In addition, track and item names should be sanitized or escaped at the point of output, and if Dygraph requires HTML for formatting, a strict allowlist or a library that sanitizes HTML should be used.