Executive Summary

This vulnerability exists in OpenEMR versions prior to 8.0.0.3. It involves the POST parameter `title` being reflected back in a JSON response that is built using `json_encode()`. However, the response is served with a `text/html` Content-Type header, causing the browser to interpret any injected HTML or script tags instead of treating the response as JSON.

An authenticated attacker can exploit this by crafting a request that injects malicious JavaScript, which then executes in the victim's browser session.

This issue was fixed in OpenEMR version 8.0.0.3.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an authenticated attacker to execute arbitrary JavaScript in the context of a victim's session. This can lead to several impacts including theft of session tokens, unauthorized actions performed on behalf of the victim, and potential compromise of sensitive data accessible through the victim's session.

Because the attack requires authentication, it may be limited to users who have some level of access, but it still poses a significant risk to the confidentiality and integrity of user sessions.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenEMR to version 8.0.0.3 or later, as this version contains the fix for the issue.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated attacker to execute arbitrary JavaScript in a victim's session due to improper handling of a POST parameter reflected in a JSON response served as text/html. Such cross-site scripting (XSS) issues can lead to unauthorized access to sensitive health information or session hijacking.

Given that OpenEMR is an electronic health records application, exploitation of this vulnerability could compromise the confidentiality and integrity of protected health information (PHI), potentially violating regulations such as HIPAA which mandate safeguarding patient data.

Similarly, the vulnerability could impact compliance with GDPR by exposing personal data to unauthorized parties through session hijacking or data manipulation.

Therefore, until patched, this vulnerability poses a risk to compliance with standards requiring protection of sensitive health and personal data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the OpenEMR instance is running a vulnerable version (prior to 8.0.0.3) and by observing the HTTP responses to POST requests that include the `title` parameter.

Specifically, you can send an authenticated POST request with a crafted `title` parameter containing a script tag and inspect the response headers and body.

• Use curl to send a POST request with a script injection in the title parameter and check if the response Content-Type is `text/html` and if the script tag is reflected in the response body.
• Example command to test the vulnerability (replace URL and authentication details accordingly):
• curl -i -X POST -d "title=<script>alert(1)</script>" -b "auth_cookie=your_auth_cookie" https://your-openemr-instance/library/ajax/graphs.php

If the response Content-Type header is `text/html` and the script tag appears unescaped in the response body, the system is vulnerable. If the Content-Type is `application/json` and the script tag is properly escaped or not executed, the system is patched.

Useful 0 Not Useful 0