CVE-2024-0875 — MEDIUM (4.8)

Vulnerability Description

A stored cross-site scripting (XSS) vulnerability exists in openemr/openemr version 7.0.1. An attacker can inject malicious payloads into the 'inputBody' field in the Secure Messaging feature, which can then be sent to other users. When the recipient views the malicious message, the payload is executed, potentially compromising their account. This issue is fixed in version 7.0.2.1.

CVSS Score

4.8

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Open-Emr	Openemr	7.0.1

Related Weaknesses (CWE)

CWE-79

References

https://github.com/openemr/openemr/commit/d141d2ca06fb2171a202c7302dd5d5af8539f2Patch
https://huntr.com/bounties/16cba0fc-748d-4ea8-9573-1f6fbe9a27c9ExploitThird Party Advisory

FAQ

What is CVE-2024-0875?

CVE-2024-0875 is a vulnerability with a CVSS score of 4.8 (MEDIUM). A stored cross-site scripting (XSS) vulnerability exists in openemr/openemr version 7.0.1. An attacker can inject malicious payloads into the 'inputBody' field in the Secure Messaging feature, which c...

How severe is CVE-2024-0875?

CVE-2024-0875 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-0875?

Check the references section above for vendor advisories and patch information. Affected products include: Open-Emr Openemr.