OpenEMR Stored Cross-Site Scripting Vulnerability in Eye Exam Form

A stored cross-site scripting vulnerability has been identified in OpenEMR versions prior to 8.0.0.3. This issue affects users with the 'Notes - my encounters' role, who can fill out Eye Exam forms in patient encounters. The vulnerability arises in the function that displays form answers, allowing authenticated attackers with the specific role to inject arbitrary JavaScript by entering malicious payloads into the form responses. The injected JavaScript is executed by any user with the form role when viewing the encounter pages or visit history.

Impact

Exploiting this vulnerability allows for the injection of JavaScript that is executed when the form answers are viewed, potentially leading to session hijacking, execution of unauthorized actions, or exfiltration of sensitive information such as patient records and credentials.

Reproduction

To reproduce this vulnerability, log into OpenEMR with a user that has the 'Notes - my encounters' role. Create or select a patient, then initiate a visit and navigate to the Eye Exam form. Fill in the required fields, including the Chronic Problems section, with a combination of normal text and XSS payloads, such as images with JavaScript event handlers. After saving the form, the injected scripts will execute when the encounter is viewed or printed.

Remediation

Users can update to OpenEMR version 8.0.0.3 or later, where this vulnerability has been patched.