OpenEMR 4.1.1 (site param) Remote XSS Vulnerability

OpenEMR suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘site’ GET parameter in the central ‘globals.php’ script which is called by every script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5129.php

Vendor: http://www.open-emr.org/wiki/index.php/OpenEMR_Patches

Comment are closed.