CVE-2021-25918: 
OpenEMR vulnerability analysis and mitigation

CVE-2021-25918 affects OpenEMR versions 5.0.2 to 6.0.0, where a Stored Cross-Site-Scripting (XSS) vulnerability exists due to improper validation of user input in the TOTP Authentication method page. The vulnerability was discovered and disclosed in March 2021 (NIST, Mend).

The vulnerability exists because the application fails to validate specific input fields like 'First Name' and 'Last Name' while creating a new user. When a user with malicious script in these fields logs in and selects the 'TOTP Key' Authentication method from 'MFA Management', it triggers the stored XSS vulnerability. The CVSS v3.1 base score is 4.8, indicating medium severity, with attack vector being Network, attack complexity Low, requiring High privileges, and User interaction (Mend).

A successful exploitation of this vulnerability could allow an attacker with high privileges to inject arbitrary code into input fields when creating a new user. This could potentially lead to unauthorized access to user data and compromise of user sessions when the affected user accesses the TOTP Authentication page (NIST).

The vulnerability has been fixed in OpenEMR version 6.0.0.1. Users are recommended to upgrade to this version or later to address the security issue (Mend, GitHub).