Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33303 is a stored cross-site scripting (XSS) vulnerability in OpenEMR versions prior to 8.0.0.2. It occurs because the patient portal login username (`portal_login_username`) is not properly escaped when displayed in the portal credential print view. A patient can set their login username to a malicious script payload, which then executes in the browser of a clinic staff member when they open the "Create Portal Login" page for that patient. This allows the malicious script to run in the staff/admin session context, crossing trust boundaries.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated patient portal user to inject and execute arbitrary JavaScript code in the browser of clinic staff members. The impact includes the ability for the attacker to access staff session cookies, read sensitive page content, and perform actions on behalf of the staff user. This can lead to unauthorized access to sensitive information and potentially further compromise of the system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves stored cross-site scripting (XSS) via the unescaped portal_login_username field in OpenEMR versions prior to 8.0.0.2. Detection involves identifying if any patient portal usernames contain malicious XSS payloads.'}, {'type': 'paragraph', 'content': 'One approach is to query the database for suspicious usernames that contain typical XSS payload patterns such as script tags or event handlers.'}, {'type': 'list_item', 'content': 'Run a SQL query on the patient_access_onsite table to find usernames with suspicious characters, for example: SELECT portal_login_username FROM patient_access_onsite WHERE portal_login_username LIKE \'%<%\' OR portal_login_username LIKE \'%"%\' OR portal_login_username LIKE \'%onerror=%\';'}, {'type': 'list_item', 'content': 'Monitor web server logs for unusual requests to the portal credential print view or the Create Portal Login page that might include suspicious payloads.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires a staff member to open the affected patient’s portal credential page, monitoring browser behavior or using web application security scanners that detect stored XSS in the portal credential print view may also help.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OpenEMR to version 8.0.0.2 or later, where the vulnerability has been fixed by applying proper escaping to the portal_login_username field in the portal credential print template.

If immediate upgrade is not possible, restrict access to the patient portal credential print view and the Create Portal Login page to trusted staff only, and educate staff to be cautious when opening patient portal login pages.

Additionally, review and sanitize existing patient portal usernames in the database to remove any malicious payloads.

Implement web application firewall (WAF) rules to detect and block XSS payloads targeting the portal_login_username field.

Useful 0 Not Useful 0