V4Run14

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 7.0.3.4 **Description** A stored cross-site scripting (XSS) issue allows any authenticated user with patient creation and editing privileges to inject arbitrary JavaScript code into the system. This can be done by entering malicious payloads in the `Text Box` fields of `Address`, `Address Line 2`, `Postal Code`, and `City` fields, and the `Drop Down` menu options of `Address Use`, `State`, and `Country` of the `Additional Addresses` section of the `Contact` tab in `Patient Demographics`. The injected script can execute in two scenarios: dynamically during form input, and when the form data is later loaded for editing. **Recommendations** For versions prior to 7.0.3.4, update to version 7.0.3.4 to resolve the issue. As a temporary workaround, consider restricting access to the `Patient Demographics` section to minimize the risk of exploitation. Avoid using the `Text Box` fields and `Drop Down` menu options in the `Additional Addresses` section until the issue is resolved.