CVE-2018-10571

Name of the Vulnerable Software and Affected Versions: OpenEMR versions prior to 5.0.1

Description: The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in different PHP files, including patient to /interface/main/finder/finder navigation.php, key to /interface/billing/get claim file.php, formid or formseq to /interface/orders/types.php, and several others in /interface/billing/sl eob process.php and /interface/billing/sl eob search.php. This affects multiple API endpoints, such as those related to billing, orders, and de-identification forms, by exploiting parameters like eraname, paydate, codetype, search term, id, and list id.

Recommendations: For OpenEMR versions prior to 5.0.1, update to version 5.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as /interface/main/finder/finder navigation.php, /interface/billing/get claim file.php, and others, until a patch is applied. Avoid using the vulnerable parameters, such as patient, key, formid, formseq, eraname, paydate, codetype, search term, id, and list id, in the affected API endpoints until the issue is resolved.