OpenEMR Stored Cross-Site Scripting Vulnerability in Eye Exam Form

A stored cross-site scripting vulnerability has been identified in OpenEMR versions prior to 8.0.0.2. Users with the 'Notes - my encounters' role can inject arbitrary JavaScript into Eye Exam form answers, which is then executed when the form is viewed in patient encounters or visit history. This vulnerability allows for session hijacking, execution of unauthorized actions, or exfiltration of sensitive information, such as patient records and credentials.

Impact

This vulnerability allows any authenticated user with the 'Notes - my encounters' role to inject and execute arbitrary JavaScript in the context of the application, potentially leading to session hijacking, execution of unauthorized actions, or exfiltration of sensitive information, including patient records and credentials.

Reproduction

To reproduce this vulnerability, log into OpenEMR with a user that has the 'Notes - my encounters' role. Create or select a patient, then access the Eye Exam form during a visit. Insert a malicious payload, such as an image tag with an 'onerror' event, into the HPI field and save the form. The injected script will execute when the encounter is viewed or printed.

Remediation

Users can update to OpenEMR version 8.0.0.2 or later, where this vulnerability has been fixed.