Stored Cross-Site Scripting Vulnerability in OpenEMR Affected by Malicious JavaScript Injection
CVE-2025-43860

7.6HIGH

Key Information:

Vendor: Openemr
Status: Openemr
Vendor: CVE Published:; 23 May 2025

What is CVE-2025-43860?

OpenEMR, an open-source electronic health records solution, suffers from a stored cross-site scripting vulnerability that affects versions prior to 7.0.3.4. This weakness allows authenticated users with privileges to create and edit patients to inject arbitrary JavaScript code via specific Text Box fields (such as Address, Address Line 2, Postal Code, and City) as well as Drop Down options (like Address Use, State, and Country) in the Additional Addresses section. The injected scripts can be executed dynamically during form input and upon later editing of the form data. A patch addressing this vulnerability is included in version 7.0.3.4.

Affected Version(s)

openemr < 7.0.3.4

References

https://github.com/openemr/openemr/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 23, 2025
Vulnerability Reserved
Apr 17, 2025

Openemr

What is CVE-2025-43860?

Affected Version(s)

References

CVSS V3.1

Timeline