Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67491

CVE-2025-67491: OpenEMR Stored XSS Vulnerability

CVE-2025-67491 is a stored XSS vulnerability in OpenEMR's billing interface that allows low-privileged users to inject malicious scripts and steal session cookies. This post covers the technical details, affected versions, and patches.

Published:

CVE-2025-67491 Overview

CVE-2025-67491 is a stored cross-site scripting (XSS) vulnerability affecting OpenEMR, a widely-used free and open source electronic health records (EHR) and medical practice management application. The vulnerability exists in the ub04 helper component of the billing interface, where the $data variable is passed in a click event handler enclosed in single quotes without proper sanitization.

Despite the use of json_encode, attackers with low privileges can inject malicious JavaScript payloads that persist on the server. This stored XSS attack enables malicious users to steal session cookies and perform unauthorized actions while impersonating administrators, posing significant risks to healthcare data confidentiality and system integrity.

Critical Impact

Low-privileged users can embed persistent malicious JavaScript payloads in the billing interface to steal administrator session cookies and perform unauthorized actions, potentially compromising sensitive patient health records and medical practice data.

Affected Products

  • OpenEMR versions 5.0.0.5 through 7.0.3.4
  • OpenEMR billing interface ub04 helper component
  • Healthcare organizations using vulnerable OpenEMR deployments

Discovery Timeline

  • 2026-02-25 - CVE-2025-67491 published to NVD
  • 2026-02-25 - Last updated in NVD database

Technical Details for CVE-2025-67491

Vulnerability Analysis

This stored XSS vulnerability stems from insufficient input sanitization in the ub04_helpers.php file within OpenEMR's billing interface. The vulnerable code passes user-controlled data through a click event handler where it is enclosed in single quotes. While the application employs json_encode as a defensive measure, this encoding is insufficient to prevent XSS attacks when the output context is an HTML attribute within single quotes.

An attacker with low-privilege access to the billing system can craft a payload that breaks out of the single-quote context and injects arbitrary HTML and JavaScript. The malicious payload persists in the database and executes whenever other users—including administrators—view the affected billing records. This persistence makes the attack particularly dangerous in healthcare environments where billing data is frequently accessed by multiple staff members with varying privilege levels.

Root Cause

The root cause is improper output encoding in the interface/billing/ub04_helpers.php file. The $data variable is inserted into an HTML onclick attribute without context-appropriate escaping. While json_encode provides some protection against JavaScript string escaping, it does not properly handle HTML attribute context escaping, allowing attackers to break out of the attribute value and inject malicious content.

Attack Vector

The attack is network-accessible and requires low privileges (authenticated user with access to billing functions). User interaction is required as a victim must view the page containing the malicious payload. An attacker can inject a payload such as ac' ><img src=x onerror=alert(document.cookie)> into billing form fields. When another user views the affected record, the malicious JavaScript executes in their browser context, potentially stealing session tokens or performing actions with the victim's privileges.

php
// Security patch in interface/billing/ub04_form.php - Merge commit from fork (#9698)
         var ii = i+1;
         if(typeof(ub04id[ii]) != 'undefined' && ub04id[ii] !== ""){
             var val = ub04id[ii];
-            if( val.length > max && max > 0 ){
+            if(val != null && val.length > max && max > 0 ){
                 val = ub04id[ii].substring(0,max);
             }
             document.getElementById("ub04id"+ ii.toString()).value = val;

Source: GitHub Commit Log

Detection Methods for CVE-2025-67491

Indicators of Compromise

  • Unusual JavaScript code patterns in billing records containing <script>, onerror=, onclick=, or similar event handlers
  • Session cookie exfiltration attempts in network logs targeting external domains
  • Billing record entries containing HTML tags such as <img>, <iframe>, or <svg> with event attributes
  • Unexpected administrator actions performed during times when legitimate admins were not active

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect XSS payload patterns in billing form submissions
  • Enable Content Security Policy (CSP) headers to prevent inline script execution and report violations
  • Deploy endpoint detection solutions to monitor for suspicious browser behavior and credential theft attempts
  • Review application logs for billing interface access patterns that suggest reconnaissance or exploitation

Monitoring Recommendations

  • Monitor OpenEMR audit logs for unusual billing record modifications or access patterns
  • Configure alerts for CSP violation reports indicating attempted XSS execution
  • Track session anomalies such as session tokens used from unexpected IP addresses or user agents
  • Implement database query logging to detect injection of HTML/JavaScript content in billing fields

How to Mitigate CVE-2025-67491

Immediate Actions Required

  • Upgrade OpenEMR to version 7.0.4 or later immediately to receive the security patch
  • Audit existing billing records in the database for signs of injected malicious content
  • Force session invalidation and password resets for all users, especially administrators, if compromise is suspected
  • Implement Content Security Policy headers to provide defense-in-depth against XSS attacks

Patch Information

OpenEMR version 7.0.4 addresses this vulnerability by implementing proper input validation and output encoding. The fix adds null checking and improves sanitization of the $data variable before it is rendered in HTML context. Organizations should prioritize this upgrade given the sensitive nature of healthcare data managed by OpenEMR.

Detailed patch information is available in the GitHub Security Advisory and the commit implementing the fix.

Workarounds

  • Restrict access to the billing interface to only essential personnel until patching is complete
  • Implement WAF rules to block requests containing common XSS payload patterns targeting billing endpoints
  • Enable strict Content Security Policy headers to prevent execution of injected scripts
  • Consider placing the OpenEMR billing interface behind additional authentication or network segmentation
bash
# Configuration example - Apache CSP header to mitigate XSS
# Add to OpenEMR Apache configuration or .htaccess
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.