CVE-2023-24065

Name of the Vulnerable Software and Affected Versions NOSH version 4a5cfdb

Description The issue allows stored XSS via the create user page. For example, a first name (of a physician, assistant, or billing user) can have a JavaScript payload that is executed upon visiting the "/users/2/1" page. This may allow attackers to steal Protected Health Information because the product is for health charting.

Recommendations For version 4a5cfdb, consider disabling the create user page functionality until a patch is available to prevent stored XSS attacks. Restrict access to the "/users/2/1" page to minimize the risk of exploitation. Avoid using the first name field in the create user page until the issue is resolved.