資安小尖兵

Name of the Vulnerable Software and Affected Versions: OpenEMR versions prior to 5.0.1 Description: The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in different PHP files, including `patient` to `/interface/main/finder/finder navigation.php`, `key` to `/interface/billing/get claim file.php`, `formid` or `formseq` to `/interface/orders/types.php`, and several others in `/interface/billing/sl eob process.php` and `/interface/billing/sl eob search.php`. This affects multiple API endpoints, such as those related to billing, orders, and de-identification forms, by exploiting parameters like `eraname`, `paydate`, `codetype`, `search term`, `id`, and `list id`. Recommendations: For OpenEMR versions prior to 5.0.1, update to version 5.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as `/interface/main/finder/finder navigation.php`, `/interface/billing/get claim file.php`, and others, until a patch is applied. Avoid using the vulnerable parameters, such as `patient`, `key`, `formid`, `formseq`, `eraname`, `paydate`, `codetype`, `search term`, `id`, and `list id`, in the affected API endpoints until the issue is resolved.