OpenEMR Stored Cross-Site Scripting Vulnerability in Patient Portal Payment Flow

A stored cross-site scripting vulnerability has been identified in OpenEMR versions prior to 8.0.0.2. This issue resides within the patient portal payment process, where a patient portal user can inject arbitrary JavaScript that is executed in the browser of a staff member reviewing the payment. The malicious script is injected through 'portal/lib/paylib.php' and is rendered without proper escaping in 'portal/portal_payment.php'.

Impact

Exploitation allows a low-privilege patient portal user to execute arbitrary JavaScript in the context of a staff member's session. This could lead to session hijacking, unauthorized access to other patients' data within the staff interface, or actions being performed on behalf of the staff user.

Reproduction

To reproduce this vulnerability, authenticate to the patient portal with a patient account. Then, POST a request to 'portal/lib/paylib.php' with a payload that includes unescaped JavaScript, such as a script that alerts the document domain. This injected script will be executed when a staff member reviews the payment in the portal payment interface.

Remediation

Users can update to OpenEMR version 8.0.0.2 or later, where this vulnerability has been fixed.