CVE-2025-67491
📋 TL;DR
OpenEMR versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the billing interface's ub04 helper. Low-privileged users can inject malicious JavaScript that executes when administrators view billing data, potentially stealing session cookies. This affects all OpenEMR installations using vulnerable versions.
💻 Affected Systems
- OpenEMR
📦 What is this software?
Openemr by Open Emr
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access, and compromise patient health records and system integrity.
Likely Case
Attackers steal session cookies of users viewing billing data, perform unauthorized actions, and potentially access sensitive patient information.
If Mitigated
With proper input validation and output encoding, the payload would be neutralized, preventing JavaScript execution.
🎯 Exploit Status
The advisory includes specific payload examples. Attack requires low-privileged user access to billing interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.4
Vendor Advisory: https://github.com/openemr/openemr/security/advisories/GHSA-5fq8-jwvw-3m5w
Restart Required: No
Instructions:
1. Backup your OpenEMR installation and database. 2. Download OpenEMR 7.0.4 or later from the official repository. 3. Replace vulnerable files with patched versions. 4. Verify the fix by checking that the ub04_helpers.php file includes proper sanitization.
🔧 Temporary Workarounds
Disable billing interface
allTemporarily disable the billing interface to prevent exploitation while patching.
# Modify OpenEMR configuration to disable billing module
# Consult OpenEMR documentation for specific configuration changes
Implement WAF rules
allAdd web application firewall rules to block XSS payloads in billing requests.
# Example ModSecurity rule: SecRule ARGS "ac'\s*><img" "id:1001,phase:2,deny,msg:'OpenEMR XSS attempt'"
# Adjust based on your WAF platform
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Monitor and audit user activity in billing interface for suspicious payload submissions.
🔍 How to Verify
Check if Vulnerable:
Check OpenEMR version via interface or by examining version.php file. If version is between 5.0.0.5 and 7.0.3.4 inclusive, system is vulnerable.Check Version:
grep -r "\$v\s*=\s*'openemr_version'" /path/to/openemr/interface/login/version.phpVerify Fix Applied:
After patching, verify the ub04_helpers.php file at line 52-60 no longer contains vulnerable click event handler without proper sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual billing interface submissions containing JavaScript payloads
- Multiple failed login attempts followed by billing interface access
Network Indicators:
- HTTP requests to billing interface with suspicious parameters containing script tags or event handlers
SIEM Query:
source="web_logs" AND (uri_path="/interface/billing/ub04_helpers.php" AND (param_value="*ac'*" OR param_value="*onerror=*" OR param_value="*alert(*"))