← Voltar para CVEs
CVE-2025-32794
HIGH7.6
Descricao
OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation privileges to inject arbitrary JavaScript code into the system by entering malicious payloads in the First and Last Name fields during patient registration. This code is later executed when viewing the patient's encounter under Orders → Procedure Orders. Version 7.0.3.4 contains a patch for the issue.
Detalhes CVE
Pontuacao CVSS v3.17.6
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioREQUIRED
Publicado5/23/2025
Ultima modificacao7/2/2025
Fontenvd
Avistamentos honeypot0
Produtos afetados
open-emr:openemr
Fraquezas (CWE)
CWE-79
Referencias
https://github.com/openemr/openemr/security/advisories/GHSA-3c27-2m7h-f7rx(security-advisories@github.com)
https://github.com/openemr/openemr/security/advisories/GHSA-3c27-2m7h-f7rx(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.