OpenEMR controller.php Reflected Cross-Site Scripting Vulnerability
A vulnerability in the foreign_id parameter of OpenEMR could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack on a targeted system.
The vulnerability exists because the controller.php code of the affected software does not properly sanitize user-supplied input. An attacker could exploit this vulnerability by persuading a user to access a link that submits malicious input to the targeted system. A successful exploit could allow the attacker to execute arbitrary script code or access sensitive information on the targeted system.
OpenEMR has not confirmed the vulnerability; however, software updates are available.
Security Impact Rating: Medium