Security Research & Advisories

Multiple Vulnerabilities in OpenEMR

Product OpenEMR
Affected Version(s) 5.0.0 and probably prior
Tested Version(s) 5.0.0 and 5.0.1-dev
Vulnerability Discovery May 21, 2017
Vendor Notification May 23, 2017
Advisory Publication May 23, 2017 [without technical details]
Vendor Acknowledgment May 25, 2017
Vendor Fix Not fixed as of OpenEMR 5.0.0 patch 7
Public Disclosure March 12, 2018
Latest Modification March 12, 2018
CVE Identifier(s) CVE-2017-1000240
Product Description OpenEMR is a Free and Open Source electronic health records and medical practice management application. It is ONC Certified and it features fully integrated electronic health records, practice management, scheduling, electronic billing, internationalization, free support, a vibrant community, and a whole lot more.
Credits Yann Chalençon, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Multiple Reflected & Stored Cross-Site Scripting (XSS) Vulnerabilities
Severity: Medium CVSS Score: 5.4 CWE-ID: CWE-79 Status: Not Fixed
Vulnerability Description
The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.0.0 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required Low Integrity Impact Low
User Interaction Required Availability Impact None


The OpenEMR has multiple Cross-Site Scripting vulnerabilities due to the lack of input validation and output encoding.

Example #1

The value of the document_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload wizlynx"></script><script>alert("wizlynx says XSS!")</script>group was submitted in the document_id parameter. This input was echoed unmodified and non-encoded in the application's response resulting in a XSS vulnerability.


The following screenshot shows the JavaScript being executed on the client side:

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Example #2

When adding a note to an existing attachment, it is possible to abuse the “note” parameter to inject a malicious JavaScript. This is possible because of the lack of input validation and output encoding, and results in a stored XSS vulnerability. The following screenshot shows the request and response:

The following screenshot shows the server’s response displayed in the browser

Other affected pages & parameters:

/openemr/controller.php #patient_id


/openemr/interface/patient_file/summary/pnotes_full.php #offset

/openemr/interface/patient_file/summary/pnotes_full.php?docid=0&orderid=0&mode=new&trigger=add&offset=0ei5hz"><script>alert(1)<%2fscript> spz31peeulo&form_active=1&form_inactive=1¬eid=&form_doc_only=1&form_note_type=Insurance&assigned_to=Yann¬e=sdfawefa

Note: all Cross-Site Scripting vulnerabilities have not been fixed as of OpenEMR 5.0.0 patch 7.