In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. An highly privileged attacker could inject arbitrary code into input fields when creating a new user.
The module `OpenEMR` can be abused via Stored Cross-Site Scripting vulnerability since the application is not validating specific input fields like `First Name` and `Last Name` while creating a New User. Due to this flaw, a malicious administrator can create a user with arbitrary script in the input fields and when that user logs and selects Authentication method `U2F USB Device` from `MFA Management`, it results in Stored Cross-Site Scripting Vulnerability.
Login as an administrator, go to Users section under Administration, and click on the `Add User` button. Create a new user, and in the `First Name` or `Last Name` input fields, insert the XSS payload, as can be seen in the POC code section. Now when the user previously created logs in and enters into `U2F USB Device`, the payload gets executed.
//first name: <script>alert(document.cookie)</script>
//last name: <script>alert(XSS!)</script>
Upgrade to version 126.96.36.199