Stored Cross-Site Scripting (XSS) Vulnerability in OpenEMR
CVE-2024-0875

4.8MEDIUM

Key Information:

Vendor: Openemr
Status: Openemr/openemr
Vendor: CVE Published:; 15 November 2024

What is CVE-2024-0875?

A stored cross-site scripting vulnerability is present in the OpenEMR application, specifically in the Secure Messaging feature of version 7.0.1. This vulnerability allows an attacker to inject harmful scripts into the 'inputBody' field. When users receive a message containing the malicious payload and view it, the payload is executed in their browser. This can lead to unauthorized access and potential compromise of user accounts. To mitigate this vulnerability, upgrading to version 7.0.2.1 or later is essential.

Affected Version(s)

openemr/openemr < 7.0.2.1

References

https://huntr.com/bounties/16cba0fc-748d-4ea8-9573-1f6fbe...

https://github.com/openemr/openemr/commit/d141d2ca06fb217...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2024
Vulnerability Reserved
Jan 25, 2024

Openemr

What is CVE-2024-0875?

Affected Version(s)

References

CVSS V3.1

Timeline