Listen to this Post
How the CVE Works
The vulnerability in OpenEMR (versions < 7.0.3.4) allows authenticated attackers with patient creation privileges to inject malicious JavaScript payloads into the First and Last Name fields during patient registration. The payload persists in the database and executes when healthcare staff view the patientβs encounter under Orders β Procedure Orders. This stored XSS bypasses input sanitization, enabling session hijacking, phishing, or privilege escalation. The flaw stems from improper neutralization of user-supplied data before rendering in the web interface.
DailyCVE Form
Platform: OpenEMR
Version: < 7.0.3.4
Vulnerability: Stored XSS
Severity: Critical
Date: 05/23/2025
Prediction: Patch expected by 08/15/2025
What Undercode Say
SELECT FROM patient_data WHERE first_name LIKE '%<script>%';
// Vulnerable code snippet (simplified) echo "<td>" . $row['first_name'] . "</td>";
How Exploit
1. Authenticate as low-privilege user.
2. Create patient with `` as name.
3. Trigger XSS via Procedure Orders view.
Protection from this CVE
- Upgrade to OpenEMR 7.0.3.4+.
- Implement CSP headers.
- Sanitize user input/output.
Impact
- Unauthorized admin actions.
- Patient data theft.
- Session compromise.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
