CVE-2025-43860

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 7.0.3.4

Description A stored cross-site scripting (XSS) issue allows any authenticated user with patient creation and editing privileges to inject arbitrary JavaScript code into the system. This can be done by entering malicious payloads in the Text Box fields of Address, Address Line 2, Postal Code, and City fields, and the Drop Down menu options of Address Use, State, and Country of the Additional Addresses section of the Contact tab in Patient Demographics. The injected script can execute in two scenarios: dynamically during form input, and when the form data is later loaded for editing.

Recommendations For versions prior to 7.0.3.4, update to version 7.0.3.4 to resolve the issue. As a temporary workaround, consider restricting access to the Patient Demographics section to minimize the risk of exploitation. Avoid using the Text Box fields and Drop Down menu options in the Additional Addresses section until the issue is resolved.