Listen to this Post
How the CVE Works
The vulnerability in OpenEMR (versions < 7.0.3.4) allows authenticated attackers with patient editing privileges to inject malicious JavaScript via input fields in the Patient Demographics section. The payload executes in two scenarios: (1) dynamically during form input, and (2) when the form is reloaded for editing. Attackers exploit insufficient input sanitization in Text Box (Address, City, etc.) and Drop Down (State, Country) fields, enabling persistent XSS attacks. The patched version (7.0.3.4) implements proper sanitization.
DailyCVE Form
Platform: OpenEMR
Version: < 7.0.3.4
Vulnerability: Stored XSS
Severity: Critical
Date: 05/23/2025
Prediction: Patch expected by 06/15/2025
What Undercode Say
Check OpenEMR version
grep -i "version" /var/www/openemr/sqlconf.php
Exploit PoC (malicious payload example)
<script>alert('XSS')</script>
Verify patch
diff -r /var/www/openemr /patched/openemr-7.0.3.4
How Exploit
1. Authenticate as a low-privilege user.
2. Inject malicious script into Patient Demographics fields.
- Trigger execution via form reload or dynamic input.
Protection from this CVE
- Upgrade to OpenEMR 7.0.3.4.
- Implement CSP headers.
- Sanitize user inputs server-side.
Impact
- Session hijacking.
- Unauthorized data access.
- Malware delivery.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
