CVE-2025-25925 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in OpenMRS v2.4.3 Build 0ff0ed allows attackers to inject malicious scripts into the personName.middleName field. When administrators view patient forms containing the injected payload, the scripts execute in their browser context. This affects all OpenMRS installations running the vulnerable version.

💻 Affected Systems

Products:

OpenMRS

Versions: v2.4.3 Build 0ff0ed

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default patient form configuration and requires no special configuration to be exploitable.

📦 What is this software?

Openmrs by Openmrs

View all CVEs affecting Openmrs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as administrators, or redirect users to malicious sites, potentially compromising the entire healthcare information system.

🟠

Likely Case

Attackers with patient data entry access could inject scripts that execute when administrators view patient records, potentially stealing session tokens or performing limited unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, the malicious payloads would be rendered harmless as plain text rather than executable code.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to patient data entry functionality. Public proof-of-concept demonstrates the injection technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: http://openmrs.com

Restart Required: No

Instructions:

1. Check OpenMRS website for security updates
2. Apply any available patches for v2.4.3
3. Verify the fix by testing the vulnerable endpoint

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the personName.middleName parameter

Implement input validation in the patient form handler to strip or encode HTML/script tags

Output Encoding

all

Apply proper output encoding when displaying the middleName field

Use HTML entity encoding (e.g., &lt; for <, &gt; for >) when rendering the middleName field

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in the personName.middleName parameter
Restrict access to patient data entry functionality to trusted users only

🔍 How to Verify

Check if Vulnerable:

Test by entering a payload like <script>alert('XSS')</script> in the personName.middleName field and checking if it executes when viewing the patient form

Check Version:

Check OpenMRS version in administration interface or configuration files

Verify Fix Applied:

After applying fixes, test with the same payload and verify it appears as plain text rather than executing

📡 Detection & Monitoring

Log Indicators:

Unusual characters or script tags in personName.middleName field entries
Multiple failed validation attempts on patient forms

Network Indicators:

HTTP POST requests to /openmrs/admin/patients/shortPatientForm.form containing script tags in parameters

SIEM Query:

source="web_server_logs" AND uri="/openmrs/admin/patients/shortPatientForm.form" AND (param="personName.middleName" AND value MATCHES "<script.*>")

📊 Metadata

CVE ID: CVE-2025-25925

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.08% exploit probability (24.3th percentile)

Published: March 11, 2025

Last Updated: May 21, 2025

🔗 References

http://openmrs.com Broken Link
https://github.com/johnchd/CVEs/blob/main/OpenMRS/CVE-2025-25925%20-%20P-XSS.md Exploit,Third Party Advisory
https://github.com/johnchd/CVEs/blob/main/OpenMRS/CVE-2025-25925%20-%20P-XSS.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25925, you might also want to check these: