CVE-2025-67491

Name of the Vulnerable Software and Affected Versions OpenEMR versions 5.0.0.5 through 7.0.3.4

Description OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting issue exists in the ub04 helper of the billing interface. The variable data is passed in a click event handler enclosed in single quotes without proper sanitization, allowing a malicious user to inject a payload. This enables low privileged users to embed malicious JavaScript payloads on the server and perform a stored cross-site scripting attack, potentially leading to the theft of session cookies and unauthorized actions impersonating administrators. The API endpoint involved is not explicitly mentioned.

Recommendations Update to version 7.0.4 or later to address this issue.