Will Porter

**Nome do software vulnerável e versões afetadas** SysAid versão 20.1.11b26 **Descrição** A vulnerabilidade permite um ataque XSS refletido por meio do parâmetro `accountid` na página “ForgotPassword.jsp”. **Recomendações** Para a versão 20.1.11b26, evite usar o parâmetro `accountid` na página ForgotPassword.jsp até que a vulnerabilidade seja resolvida.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 5.0.3 **Description** The issue allows a user to extract arbitrary data from the database via a non-parameterized INSERT INTO statement. This can be achieved by exploiting the `providerID` parameter in the `interface/forms/eye mag/js/eye base.php` file. **Recommendations** For OpenEMR versions prior to 5.0.3, update to version 5.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `eye base.php` file to minimize the risk of exploitation. Avoid using the `providerID` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 5.0.2.1 **Description** A reflected XSS issue exists in the interface/forms/eye mag/view.php file, specifically affecting the `id` parameter. **Recommendations** For versions prior to 5.0.2.1, update to version 5.0.2.1 or later to resolve the issue.