CVE-2024-0875
Published: 15 November 2024
Summary
CVE-2024-0875 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Open-Emr Openemr. Its CVSS base score is 4.8 (Medium).
Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A stored cross-site scripting vulnerability affects OpenEMR version 7.0.1 within the Secure Messaging feature. Attackers can supply malicious payloads through the inputBody field; these payloads are persisted and later rendered when another user views the message, executing in the recipient's browser context. The flaw is resolved in version 7.0.2.1.
An authenticated user with high privileges can exploit the issue by composing and sending a message containing the crafted payload. Upon viewing, the script runs with the recipient's permissions, enabling actions that may lead to account compromise. The CVSS vector reflects the need for high privileges and recipient interaction.
Mitigation consists of upgrading to OpenEMR 7.0.2.1; the fix is documented in the project's commit history and the associated huntr.com bounty report. The EPSS score has remained flat at 0.0629 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16657
Vulnerability details
A stored cross-site scripting (XSS) vulnerability exists in openemr/openemr version 7.0.1. An attacker can inject malicious payloads into the 'inputBody' field in the Secure Messaging feature, which can then be sent to other users. When the recipient views the malicious…
more
message, the payload is executed, potentially compromising their account. This issue is fixed in version 7.0.2.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.