CVE-2021-25919: 
OpenEMR vulnerability analysis and mitigation

In OpenEMR versions 5.0.2 to 6.0.0, a stored Cross-Site-Scripting (XSS) vulnerability was discovered due to improper validation of user input. The vulnerability was identified and disclosed on March 22, 2021, affecting the OpenEMR medical practice management solution (NVD, WhiteSource).

The vulnerability exists in the user creation functionality where input fields like 'First Name' and 'Last Name' are not properly validated. The issue is tracked as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, and a CVSS v2.0 score of 3.5 (LOW) (NVD).

When exploited, this vulnerability allows a highly privileged attacker to inject arbitrary code into input fields during new user creation. The injected code gets executed when the affected user accesses the 'MFA Management' section. This could potentially lead to unauthorized access to user cookies and other sensitive information (WhiteSource).

The vulnerability has been fixed in OpenEMR version 6.0.0.1. Users are advised to upgrade to this version or later to mitigate the risk. A patch is available in the OpenEMR repository (GitHub Patch).