OpenEMR Reflected XSS Vulnerability
SonicWall Capture Labs Threat Research Team has observed the following threat:
OpenEMR is a comprehensive open-source electronic health records (EHR) and medical practice management application. It provides an array of functionalities aimed at enhancing the efficiency of medical practice management. Among the critical features it provides are patient statistics, medical billing, electronic medical record (EMR) generation, and appointment scheduling. The listed capabilities empower medical practitioners, clinics, and hospitals to effectively manage and coordinate patient schedules, maintain detailed patient records, and streamline the billing process electronically. OpenEMR is designed with a flexible, user-friendly interface, making it an accessible solution for healthcare providers aiming to digitize and optimize their administrative and patient care processes. As an open-source platform, it also affords the flexibility of customization according to individual or institutional needs, further enhancing its applicability across a broad range of healthcare settings.
A reflected cross-site scripting vulnerability has been identified in OpenEMR. This vulnerability arises from inadequate input validation associated with the ‘list_id’ parameter in ‘share_template.php’.
A remote attacker could exploit this vulnerability by enticing a victim to open a crafted URL. Successfully exploiting this vulnerability could result in arbitrary code execution in the context of the victim’s browser.
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2948.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).
Base score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is required.
• Scope is changed.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 8.6 (E:P/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is proof of concept.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.
where $list_id is sanitized first by using PHP htmlspecialchars() function.
In this scenario, the crafted value allows the original “add_template()” function definition to be escaped and a script command – “alert(55555)” – to be inserted right after the function’s conclusion. Consequently, the “alert(55555)” will execute when the server-returned HTML content is loaded in the user’s browser. If the “alert(55555)” were to be swapped with a different malicious script, it would lead to the execution of this harmful code in the browser, potentially triggering XSS opportunities.
Triggering the Problem:
• The target system must have the vulnerable product installed and running.
• The target user must have network connectivity to the affected ports.
• The attacker must be able to deliver a malicious URL to a target user.
A user is lured by an attacker into opening a URL that contains a carefully designed list_id parameter. The vulnerability manifests itself when the user initiates the URL in a web browser.
SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS: 19216 OpenEMR Cross-Site Scripting
The risks posed by this vulnerability can be mitigated or eliminated by:
• Filtering traffic based on the signature above.
• Upgrading the product to a non-vulnerable version.
The vendor has released the following patch to address this issue: