OpenEMR Cross-Site Scripting Vulnerability
Purplemet Lab team discovered a cross-site scripting (XSS) vulnerability in OpenEMR before 5.0.1 Patch 6 (CVE-2018-18035). These versions embed a third party component named FlashCanvas which provides flashcanvas.swf, a Flash file vulnerable to a cross-site scripting.
Update to OpenEMR 5.0.1 Patch 6 or latest version.
Proof of concept
The vulnerability can be triggered using the following URL:
See OpenEMR 5.0.1 Patch (9/9/18) release.
Purplemet technology detection
Purplemet detects OpenEMR with version and CVE.