We found results for “


Date: March 22, 2021


In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. An highly privileged attacker could inject arbitrary code into input fields when creating a new user.


The module `OpenEMR` can be abused via Stored Cross-Site Scripting vulnerability since the application is not validating specific input fields like `First Name` and `Last Name` while creating a New User. Due to this flaw, a malicious administrator can create a user with arbitrary script in the input fields and when that user logs and selects `MFA Management`, it results in Stored Cross-Site Scripting Vulnerability.

PoC Details

Login as an administrator, go to Users section under Administration, and click on the `Add User` button. Create a new user, and in the `First Name` or `Last Name` input fields, insert the XSS payload, as can be seen in the POC code section. Now when the user previously created logs in and clicks on `MFA Management`, the payload gets executed.

PoC Code

//first name: <script>alert(document.cookie)</script>
//last name: <script>alert(XSS!)</script>

Affected Environments



Upgrade to version

Language: PHP

Good to know:


Cross-Site Scripting (XSS)


Upgrade Version

Upgrade to version v6_0_0_1

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: