Overview
The report discusses a stored cross-site scripting (XSS) vulnerability in OpenEMR, an open-source electronic health records and medical practice management application. The vulnerability, identified as CVE-2025-32794, affects versions prior to 7.0.3.4 and has a high impact due to its potential to compromise systems or leak sensitive data.
Vulnerability Summary
CVE ID: CVE-2025-32794
Severity: High (CVSS: 7.6)
Attack Vector: Stored Cross-Site Scripting (XSS)
Privileges Required: Low (Authenticated user with patient creation privileges)
User Interaction: Required (Viewing the patient’s encounter under Orders → Procedure Orders)
Impact: Potential system compromise or data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
OpenEMR | Versions prior to 7.0.3.4
How the Exploit Works
The exploit involves an authenticated user with patient creation privileges injecting arbitrary JavaScript code into the First and Last Name fields during patient registration. The stored XSS vulnerability is exploited when this malicious payload is executed as someone views the patient’s encounter under Orders → Procedure Orders.
Conceptual Example Code
The following is a conceptual example of how an attacker might attempt to exploit this vulnerability:
POST /patient/registration HTTP/1.1
Host: vulnerablehospital.example.com
Content-Type: application/json
{
"first_name": "<script>/*malicious JavaScript code*/</script>",
"last_name": "<script>/*malicious JavaScript code*/</script>"
}Mitigation
Users are strongly advised to apply the vendor patch, which is included in version 7.0.3.4 of OpenEMR. In the interim, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can provide temporary mitigation.
