Reflected Cross-Site Scripting Vulnerability in OpenEMR by OpenEMR
CVE-2025-30149

4.6MEDIUM

Key Information:

Vendor: Openemr
Status: Openemr
Vendor: CVE Published:; 31 March 2025

What is CVE-2025-30149?

OpenEMR, an open-source electronic health records and practice management application, is susceptible to reflected cross-site scripting (XSS) through the AJAX Script interface, specifically within the layout_listitems_ajax.php file. This vulnerability allows attackers to inject malicious scripts via the target parameter, potentially compromising the integrity and security of sensitive health data. Users are urged to upgrade to version 7.0.3 or later to mitigate this risk.

Affected Version(s)

openemr < 7.0.3

References

https://github.com/openemr/openemr/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/openemr/openemr/commit/6cb70595f65decf...

x_refsource_MISC

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2025
Vulnerability Reserved
Mar 17, 2025

Openemr

What is CVE-2025-30149?

Affected Version(s)

References

CVSS V3.1

Timeline