Overview
The report discusses a stored cross-site scripting (XSS) vulnerability in OpenEMR, an open-source electronic health records and medical practice management application. The vulnerability, identified as CVE-2025-32794, affects versions prior to 7.0.3.4 and has a high impact due to its potential to compromise systems or leak sensitive data.
Vulnerability Summary
CVE ID: CVE-2025-32794
Severity: High (CVSS: 7.6)
Attack Vector: Stored Cross-Site Scripting (XSS)
Privileges Required: Low (Authenticated user with patient creation privileges)
User Interaction: Required (Viewing the patient’s encounter under Orders → Procedure Orders)
Impact: Potential system compromise or data leakage
Affected Products
Share secrets securely
Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.
Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.
- • Encrypted identity
- • Private Spaces for organizations and teams
- • End-to-end encrypted chat, calls, files, and notes
- • Sensitive AI work and protected collaboration
- • Built for information that cannot leak
Our mission is to secure human work alongside AI.
Product | Affected Versions
OpenEMR | Versions prior to 7.0.3.4
How the Exploit Works
The exploit involves an authenticated user with patient creation privileges injecting arbitrary JavaScript code into the First and Last Name fields during patient registration. The stored XSS vulnerability is exploited when this malicious payload is executed as someone views the patient’s encounter under Orders → Procedure Orders.
Conceptual Example Code
The following is a conceptual example of how an attacker might attempt to exploit this vulnerability:
POST /patient/registration HTTP/1.1
Host: vulnerablehospital.example.com
Content-Type: application/json
{
"first_name": "<script>/*malicious JavaScript code*/</script>",
"last_name": "<script>/*malicious JavaScript code*/</script>"
}
Mitigation
Users are strongly advised to apply the vendor patch, which is included in version 7.0.3.4 of OpenEMR. In the interim, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can provide temporary mitigation.
