OpenEMR controller.php Reflected Cross-Site Scripting Vulnerability

By GIXnews


A vulnerability in the doc_id parameter of OpenEMR could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack on a targeted system.

The vulnerability exists because the controller.php code of the affected software does not properly sanitize user-supplied input. An attacker could exploit this vulnerability by persuading a user to access a link that submits malicious input to the targeted system. A successful exploit could allow the attacker to execute arbitrary script code or access sensitive information on the targeted system.

OpenEMR has not confirmed the vulnerability; however, software updates are available.

Security Impact Rating: Medium

CVE: CVE-2019-3964

Source:: Cisco Multivendor Vulnerability Alerts