CVE-2017-6394

Name of the Vulnerable Software and Affected Versions OpenEMR versions 5.0.0 through 5.0.1-dev

Description Multiple Cross-Site Scripting (XSS) issues were discovered due to insufficient filtration of user-supplied data. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website, specifically through the "openemr-master/gacl/admin/object search.php" URL, exploiting the section value and src form variables.

Recommendations For OpenEMR versions 5.0.0 through 5.0.1-dev, as a temporary workaround, consider restricting access to the "openemr-master/gacl/admin/object search.php" URL until a patch is available. Avoid using the section value and src form variables in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.