CVE-2021-25918

Name of the Vulnerable Software and Affected Versions OpenEMR versions 5.0.2 through 6.0.0

Description The issue is related to Stored Cross-Site-Scripting (XSS) due to improper validation of user input, which is then rendered in the TOTP Authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.

Recommendations For OpenEMR versions 5.0.2 through 6.0.0, consider disabling the TOTP Authentication method page until a patch is available to prevent exploitation. Restrict access to user input fields to minimize the risk of arbitrary code injection. Update to a version that includes proper validation of user input to fully resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.