CVE-2024-0875

Stored XSS in openemr/openemr

CVSS 8.1 HIGHEPSS 0.4%CWE-79

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.1EPSS 0.4%KEV nãoPoC —Patch —

Lifecycle

15 Nov 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A stored cross-site scripting (XSS) vulnerability exists in openemr/openemr version 7.0.1. An attacker can inject malicious payloads into the 'inputBody' field in the Secure Messaging feature, which can then be sent to other users. When the recipient views the malicious message, the payload is executed, potentially compromising their account. This issue is fixed in version 7.0.2.1.

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products

openemr · openemr/openemr

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openemr/openemr/commit/d141d2ca06fb2171a202c7302dd5d5af8539f255 https://huntr.com/bounties/16cba0fc-748d-4ea8-9573-1f6fbe9a27c9