PT-2022-19924 · Unknown · Librehealth Emr
Manfromkz
·
Published
2022-05-05
·
Updated
2022-05-12
·
CVE-2022-29940
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
LibreHealth EHR version 2.0.0
Description
The issue is related to a lack of sanitization of the GET parameters
formseq and formid in the "interface/orders/find order popup.php" endpoint, leading to multiple cross-site scripting (XSS) vulnerabilities.Recommendations
For LibreHealth EHR version 2.0.0, consider disabling access to the "interface/orders/find order popup.php" endpoint until a patch is available, or ensure proper sanitization of the
formseq and formid parameters to prevent XSS attacks.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Librehealth Emr