OpenEMR Stored Cross-Site Scripting Vulnerability in Portal Credential Print View

A stored cross-site scripting vulnerability has been identified in OpenEMR versions prior to 8.0.0.2. The issue arises from unescaped user input in the `portal_login_username` field, which is rendered in the portal credential print view. When a patient portal user sets their username to include an XSS payload, it executes in the browser of a clinic staff member who accesses the 'Create Portal Login' page for that patient. This vulnerability allows the injected script to cross from the patient session context into the staff/admin session context, potentially accessing session cookies and executing actions on behalf of the staff user.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of a clinic staff member's browser session. This could lead to unauthorized access to session cookies, page content, and the ability to perform actions as the staff user, such as submitting forms.

Reproduction

To reproduce this vulnerability, sign in to the patient portal as any patient. Navigate to the credential change page and set the username to an XSS payload, such as an image tag with an `onerror` event. Submit the form, and then as a clinic staff member, open the patient's chart and click 'Create Portal Login'. The injected script will execute in the staff member's browser session.

Remediation

Users can update to OpenEMR version 8.0.0.2 or later, where this vulnerability has been patched.