Executive Summary

CVE-2025-69231 is a stored cross-site scripting (XSS) vulnerability in the GAD-7 anxiety assessment form of the OpenEMR application, affecting versions prior to 8.0.0.

Authenticated users with clinician privileges can inject malicious JavaScript code into the form. This code executes when other users view or edit the form.

The root cause is insufficient sanitization of user-controlled data embedded directly into JavaScript code using a function that applies htmlspecialchars() with ENT_NOQUOTES, which does not properly escape for JavaScript context.

This allows attackers to execute arbitrary JavaScript in the context of other users viewing the form.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including:

• Session hijacking: attackers can steal session tokens of users viewing the compromised form.
• Account takeover: attackers gain full access to victim user accounts.
• Privilege escalation: attackers can escalate from clinician privileges to administrator privileges.
• Data breach: attackers can access all patient medical records.
• Persistence: the malicious payload is stored in the database, causing repeated execution when the form is viewed or edited.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your OpenEMR installation is running a version prior to 8.0.0 and if the GAD-7 anxiety assessment form is enabled and in use.'}, {'type': 'paragraph', 'content': 'You can also inspect the database table `form_gad7` for suspicious or unexpected JavaScript code injected into fields such as `control_worry_score`.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves stored cross-site scripting in the GAD-7 form, monitoring HTTP requests and responses for injected JavaScript payloads when clinicians submit or edit the form can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': "Query the database for suspicious entries: `SELECT control_worry_score FROM form_gad7 WHERE control_worry_score LIKE '%<script>%' OR control_worry_score LIKE '%fetch(%';`"}, {'type': 'list_item', 'content': "Check the OpenEMR version installed: `grep 'Version' /path/to/openemr/version_file` or check the application UI for version info."}, {'type': 'list_item', 'content': 'Monitor web server logs for unusual POST requests to `/interface/forms/gad7/save.php` that contain suspicious JavaScript payloads.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation is to upgrade OpenEMR to version 8.0.0 or later, where the vulnerability is fixed by properly sanitizing user input before embedding it in JavaScript.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider disabling the GAD-7 anxiety assessment form to prevent the vulnerability from being triggered.'}, {'type': 'paragraph', 'content': 'Restrict clinician user privileges temporarily to reduce the risk of malicious input injection.'}, {'type': 'paragraph', 'content': 'Monitor and audit the `form_gad7` database table for injected scripts and remove any suspicious entries.'}, {'type': 'paragraph', 'content': "Educate users to avoid clicking 'Edit' on suspicious GAD-7 forms until the issue is resolved."}] [2]

Useful 0 Not Useful 0