Executive Summary

CVE-2026-33346 is a stored cross-site scripting (XSS) vulnerability in OpenEMR versions prior to 8.0.0.2, specifically in the patient portal payment flow.

A patient portal user can submit malicious JavaScript code via the payment submission process, which is stored in the database without proper escaping.

When a staff member later reviews the payment submission, the malicious script is executed in their browser because the stored data is embedded directly into a JavaScript string literal without proper encoding.

This happens because the user input is stored verbatim in the database and then echoed inside a single-quoted JavaScript string in the staff payment review page, allowing the injected script to break out of the string and run arbitrary code.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a low-privilege patient portal user to execute arbitrary JavaScript code in the browser of any staff member who reviews their payment submission.

• It can lead to session hijacking of staff members.
• It can allow unauthorized access to sensitive patient data visible in the staff user interface.
• It can enable unauthorized actions to be performed on behalf of the staff user.

No special configuration or non-default settings are required for exploitation; the vulnerability exists in the standard patient portal and payment review features.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of malicious JavaScript payloads stored in the patient portal payment flow, specifically in the database column `onsite_portal_activity.table_args` that is populated via `portal/lib/paylib.php`.'}, {'type': 'paragraph', 'content': 'One approach is to query the database for suspicious entries containing JavaScript code or single quotes that could break out of JavaScript string literals.'}, {'type': 'list_item', 'content': "Run a SQL query to find suspicious payloads in the `table_args` column, for example: SELECT * FROM onsite_portal_activity WHERE table_args LIKE '%<script>%' OR table_args LIKE '%\\'%';"}, {'type': 'list_item', 'content': 'Monitor HTTP POST requests to `portal/lib/paylib.php` for suspicious `inv_values` parameters containing JavaScript or single quotes that could be used to inject scripts.'}, {'type': 'list_item', 'content': "Use web application security scanners or custom scripts to simulate POST requests with payloads like `';alert(document.domain);//` to test if the system is vulnerable."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation is to upgrade OpenEMR to version 8.0.0.2 or later, where the vulnerability is fixed.

The fix involves properly escaping user input before embedding it into JavaScript contexts by using functions like `js_escape()` or `json_encode()` with appropriate flags to prevent script injection.

• Apply the patch that replaces raw string concatenation with safe encoding functions in `portal/portal_payment.php` and `portal/lib/paylib.php`.
• If immediate upgrade is not possible, consider implementing input validation or filtering on the `inv_values` parameter to block suspicious characters like single quotes or script tags.
• Limit staff access to the patient portal payment review page until the patch is applied to reduce risk of exploitation.

Useful 0 Not Useful 0