CVE-2022-1458
Published: 25 April 2022
Summary
CVE-2022-1458 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Open-Emr Openemr. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-1458 is a stored cross-site scripting vulnerability, tracked under CWE-79, that can lead to session hijacking. It affects the openemr/openemr GitHub repository in versions prior to 6.1.0.1 and carries a CVSS 3.1 base score of 5.4.
An authenticated attacker with low privileges can inject malicious script that is stored and later executed in the browsers of other users who view the affected content. Because the attack requires user interaction and changes scope, successful exploitation can expose or manipulate limited session data belonging to additional users.
The referenced commit 31f08005e53b17d1bc921d23f7ee774930ad416d in the OpenEMR repository addresses the issue, and the associated huntr.dev report documents the same fix. Upgrading to version 6.1.0.1 or later applies the remediation.
The EPSS score has remained flat at 0.1043 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-24763
Vulnerability details
Stored XSS Leads To Session Hijacking in GitHub repository openemr/openemr prior to 6.1.0.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.