CVE-2025-43860
Published: 23 May 2025
Summary
CVE-2025-43860 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.6 (High).
Operationally, ranked in the top 15.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting vulnerability tracked as CVE-2025-43860 affects versions prior to 7.0.3.4 and resides in the Additional Addresses section of the Contact tab within Patient Demographics. Authenticated users can store arbitrary JavaScript in the Text Box fields for Address, Address Line 2, Postal Code, and City as well as the Drop Down options for Address Use, State, and Country; the payload executes either dynamically on form input or when the record is later reloaded for editing.
Any authenticated user granted patient creation or editing rights can exploit the flaw. Successful injection allows the attacker to run scripts in the context of other users who view or edit the same patient record, potentially resulting in theft of sensitive session tokens or other high-impact actions within the application.
The referenced GitHub Security Advisory states that version 7.0.3.4 contains a patch addressing the stored XSS issue. The EPSS score remains flat at 0.0209 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28018
Vulnerability details
OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation and editing privileges to inject arbitrary JavaScript…
more
code into the system by entering malicious payloads in the (1) Text Box fields of Address, Address Line 2, Postal Code and City fields and (2) Drop Down menu options of Address Use, State and Country of the Additional Addresses section of the Contact tab in Patient Demographics. The injected script can execute in two scenarios: (1) dynamically during form input, and (2) when the form data is later loaded for editing. Version 7.0.3.4 contains a patch for the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.