OpenEMR Stored Cross-Site Scripting Vulnerability in CCDA Document Preview

A stored cross-site scripting vulnerability has been identified in OpenEMR versions prior to 8.0.0.3. This vulnerability allows an attacker to execute arbitrary JavaScript in a clinician's browser session by uploading or sending a CCDA document that is previewed. The issue arises because the XSL stylesheet used for sanitizing attributes in narrative elements does not properly handle 'linkHtml', allowing 'javascript:' links and event handler attributes to be injected. When the CCDA document is previewed, the unsanitized JavaScript executes in the context of the user viewing the document.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, with the injected JavaScript executing in the context of the user who previews the document. This can lead to session hijacking, as OpenEMR session cookies are not set to httpOnly, allowing the attacker to access the session cookie and potentially escalate privileges from a low-privileged user to an administrator.

Reproduction

To reproduce this vulnerability, upload a CCDA document containing a 'linkHtml' element with a 'javascript:' URL into the patient's document tree. Then, log in as a clinician and preview the document. The JavaScript will execute in the clinician's session.

Remediation

Users can update to OpenEMR version 8.0.0.3 or later, where this vulnerability has been patched.