Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32121 is a high-severity stored DOM-based cross-site scripting (XSS) vulnerability in OpenEMR versions prior to 8.0.0.1. It occurs in the portal signature modal component where patient names are rendered on the client side using jQuery's .html() method without proper sanitization."}, {'type': 'paragraph', 'content': 'The vulnerability arises because patient names containing HTML or script content are stored unsanitized in the database, and the patient self-registration flow allows attacker-controlled input to enter the system without validation. The server-side validation function does not sanitize or reject HTML input, and no encoding or sanitization happens before inserting the data into the DOM.'}, {'type': 'paragraph', 'content': 'When a staff member opens the attacker’s patient record and triggers the signature modal, the malicious patient name is rendered using .html(), causing the embedded script to execute in the staff member’s browser.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to execute arbitrary JavaScript in the browsers of clinical staff members by injecting malicious code through patient names.

• It can lead to session hijacking, allowing attackers to take over staff user sessions.
• It can enable data exfiltration, exposing sensitive patient or clinical data.
• It may allow unauthorized actions or modification of clinical records.

Exploitation requires patient self-registration to be enabled and staff interaction with the attacker’s patient record, making the attack vector network-based but with high complexity.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by identifying if your OpenEMR installation is running a version prior to 8.0.0.1 and if patient self-registration is enabled, allowing attacker-controlled input. Specifically, you can check for the presence of the vulnerable JavaScript code in the staff interface, particularly in the file portal/sign/assets/signer_api.js around line 279 where jQuery's .html() method is used to render patient names without sanitization."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of malicious data, you can query the database for patient names containing suspicious HTML or JavaScript tags, such as <img> tags with onerror attributes.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': "Check OpenEMR version: `grep 'version' /path/to/openemr/version.php` or check the application UI for version info."}, {'type': 'list_item', 'content': 'Check if patient self-registration is enabled by reviewing OpenEMR configuration files or admin settings.'}, {'type': 'list_item', 'content': "Search the database for patient names containing HTML tags (example for MySQL): `SELECT id, fname, lname FROM patient_data WHERE fname LIKE '%<%' OR lname LIKE '%<%';`"}, {'type': 'list_item', 'content': "Inspect the JavaScript file for vulnerable code: `grep -n '.html(' /path/to/openemr/portal/sign/assets/signer_api.js`"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to upgrade OpenEMR to version 8.0.0.1 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, consider the following interim mitigations:

• Disable patient self-registration to prevent attacker-controlled input from entering the database.
• Manually sanitize or remove any patient names in the database that contain HTML or JavaScript code.
• Restrict staff access to patient records that might contain malicious data until the issue is resolved.
• Review and enhance Content-Security-Policy headers to restrict inline scripts and event handlers, although this alone will not fully mitigate the vulnerability.

Useful 0 Not Useful 0