Executive Summary

CVE-2025-67491 is a stored cross-site scripting (XSS) vulnerability in the ub04 helper component of the billing interface in OpenEMR versions 5.0.0.5 through 7.0.3.4. The vulnerability occurs because user data is embedded into a click event handler in the HTML without proper sanitization, despite using json_encode. This allows a malicious user to inject JavaScript payloads that execute when the button is clicked.

An attacker with low privileges and an authenticated user account can modify their own fields to include malicious scripts. When other users access the affected page, the injected script executes in their browsers.

This vulnerability enables attackers to steal session cookies and impersonate administrators, leading to unauthorized actions. The issue was patched in OpenEMR version 7.0.4.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows low-privileged authenticated users to perform stored XSS attacks by injecting malicious JavaScript into the billing interface.

The impact includes the theft of session cookies, which can be used to impersonate administrators and perform unauthorized actions within the system.

Because the attack vector is network-based and requires only low privileges, it poses a significant risk to the confidentiality and integrity of sensitive data handled by OpenEMR.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the OpenEMR instance is running a vulnerable version (5.0.0.5 through 7.0.3.4) and by inspecting the ub04 helper component in the billing interface for unsanitized user input in the onclick event handler.'}, {'type': 'paragraph', 'content': 'Specifically, you can look for malicious payloads injected into user fields such as fname or lname that might trigger stored XSS when accessing the billing interface.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation or presence of the vulnerability include:'}, {'type': 'list_item', 'content': "Search the database for suspicious script payloads in user fields (e.g., fname, lname) using SQL queries like: SELECT * FROM users WHERE fname LIKE '%<img%' OR lname LIKE '%<img%';"}, {'type': 'list_item', 'content': 'Monitor HTTP requests to the vulnerable endpoint (interface/billing/ub04_helpers.php) for unusual or suspicious parameters or payloads.'}, {'type': 'list_item', 'content': 'Use web application scanners that detect stored XSS vulnerabilities by simulating payload injections and observing if they are executed.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation step is to upgrade OpenEMR to version 7.0.4 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict user privileges to prevent low-privileged users from modifying their fname or lname fields with malicious payloads.

Additionally, monitor and sanitize user inputs on the billing interface, especially in the ub04 helper component, to prevent injection of malicious scripts.

Implement web application firewall (WAF) rules to detect and block common XSS payloads targeting the vulnerable endpoints.

Useful 0 Not Useful 0