CVE-2024-0875 HIGH

CVE-2024-0875: Stored XSS in openemr/openemr

Vendor Openemr
Product openemr/openemr
Weakness CWE-79 · XSS
Published November 15, 2024
Last update November 15, 2024

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability exists in openemr/openemr version 7.0.1. An attacker can inject malicious payloads into the 'inputBody' field in the Secure Messaging feature, which can then be sent to other users. When the recipient views the malicious message, the payload is executed, potentially compromising their account. This issue is fixed in version 7.0.2.1.

Key dates

02Disclosure timeline

November 15, 2024 CVE published
November 15, 2024 Record updated