Resources

OpenEMR Cross-Site Scripting Vulnerability

,

January 13, 2020

|

1

min read

Vulnerability

Purplemet Lab team discovered a cross-site scripting (XSS) vulnerability in OpenEMR before 5.0.1 Patch 6 (CVE-2018-18035). These versions embed a third party component named FlashCanvas which provides flashcanvas.swf, a Flash file vulnerable to a cross-site scripting.

Solution

Update to OpenEMR 5.0.1 Patch 6 or latest version.

Proof of concept

The vulnerability can be triggered using the following URL:

http://ip/openemr/portal/sign/assets/flashcanvas.swf?id=12345678\%22));}catch(e){alert(document.domain)}// ‍

Reference

See OpenEMR 5.0.1 Patch (9/9/18) release.

Purplemet technology detection

Purplemet detects OpenEMR with version and CVE.

Purplemet detection of OpenEMR

Purplemet identification of OpenEMR CVE

Continue reading

Product Updates

Purplemet Cloud 1.26.0 New Features

,

June 9, 2025

|

min read

Product Updates

Purplemet Cloud 1.22.0 New Features

,

July 1, 2024

|

7

min read

Product Updates

Purplemet Cloud 1.21.0 New Features

,

March 12, 2024

|

4

min read

Rejoignez plus de 100 entreprises. Reprenez le contrôle de votre surface d'attaque avec Purplemet

Planifier une démo

Obtenir une évaluation gratuite