CVE-2024-0875
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in OpenEMR 7.0.1 allows attackers to inject malicious scripts into the Secure Messaging feature's 'inputBody' field. When other users view these messages, the scripts execute in their browsers, potentially compromising their accounts. This affects all OpenEMR 7.0.1 installations with the Secure Messaging feature enabled.
💻 Affected Systems
- openemr/openemr
📦 What is this software?
Openemr by Open Emr
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full control of victim's OpenEMR account, accesses sensitive patient data, modifies medical records, or performs unauthorized actions as the victim.
Likely Case
Attacker steals session cookies or authentication tokens, leading to account takeover and unauthorized access to patient information.
If Mitigated
Script execution is blocked by browser security features or content security policies, limiting impact to minor UI disruption.
🎯 Exploit Status
Exploit requires authenticated access to send messages. Public proof-of-concept exists in bounty reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.2.1
Vendor Advisory: https://github.com/openemr/openemr/commit/d141d2ca06fb2171a202c7302dd5d5af8539f255
Restart Required: No
Instructions:
1. Backup your OpenEMR installation and database. 2. Download OpenEMR version 7.0.2.1 from the official repository. 3. Replace the vulnerable files with patched versions. 4. Verify the fix by checking that input sanitization is applied to the 'inputBody' field.
🔧 Temporary Workarounds
Disable Secure Messaging Feature
allTemporarily disable the vulnerable Secure Messaging feature to prevent exploitation.
Navigate to Administration > Globals > Features > Disable 'Secure Messaging'
Implement Content Security Policy
allAdd CSP headers to block inline script execution in messages.
Add 'Content-Security-Policy: script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-controlled fields in the messaging system.
- Deploy a web application firewall (WAF) with XSS protection rules to block malicious payloads.
🔍 How to Verify
Check if Vulnerable:
Test by attempting to inject a simple XSS payload like <script>alert('test')</script> into the Secure Messaging 'inputBody' field and checking if it executes when viewed.Check Version:
Check the OpenEMR version in the footer of any page or run: grep "\$openemr_version" /path/to/openemr/interface/globals.phpVerify Fix Applied:
After patching, attempt the same XSS injection test; the script should be properly sanitized and not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns in message content logs containing script tags or JavaScript code
- Multiple failed login attempts following message views
Network Indicators:
- Outbound connections to suspicious domains from the OpenEMR server following message access
SIEM Query:
source="openemr_logs" AND (message_content CONTAINS "<script>" OR message_content CONTAINS "javascript:")