OpenEMR Reflected Cross-Site Scripting Vulnerability in Custom Template Editor

A reflected cross-site scripting vulnerability has been identified in OpenEMR versions 7.0.2.1 prior to 8.0.0.3. The issue resides in the custom template editor, where user input is not properly sanitized before being output. This vulnerability allows an attacker to execute arbitrary JavaScript in the browser session of an authenticated staff member by sending a crafted URL. Notably, the attacker does not need an OpenEMR account to exploit this vulnerability.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the context of the victim's browser session.

Reproduction

To reproduce this vulnerability, log into OpenEMR as an authenticated user. Then, navigate to the custom template editor and append a crafted URL that includes an unescaped 'contextName' parameter, such as one containing an image tag with an 'onerror' event. The injected JavaScript will execute in the session of the user who clicks the link.

Remediation

Users can update to OpenEMR version 8.0.0.3, which addresses this vulnerability.