CVE-2024-0875

Published: Nov 15, 2024Modified: Nov 19, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

A stored cross-site scripting (XSS) vulnerability exists in openemr/openemr version 7.0.1. An attacker can inject malicious payloads into the 'inputBody' field in the Secure Messaging feature, which can then be sent to other users. When the recipient views the malicious message, the payload is executed, potentially compromising their account. This issue is fixed in version 7.0.2.1.

Affected (1)

Products: Open Emr: Openemr

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Open Emr Openemr	Version 7.0.1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://github.com/openemr/openemr/commit/d141d2ca06fb2171a202c7302dd5d5af8539f255

Source: security@huntr.dev

Patch

https://huntr.com/bounties/16cba0fc-748d-4ea8-9573-1f6fbe9a27c9

Source: security@huntr.dev

ExploitThird Party Advisory

Timeline

No history available yet.