CVE-2021-32103: 
OpenEMR vulnerability analysis and mitigation

A Stored XSS vulnerability (CVE-2021-32103) was discovered in interface/usergroup/usergroup_admin.php in OpenEMR before version 5.0.2.1. The vulnerability allows an admin authenticated user to inject arbitrary web script or HTML via the lname parameter. This vulnerability was part of a larger set of security issues discovered in OpenEMR 5.0.2.1, which is widely used for electronic health record and medical practice management worldwide (Sonar Blog).

The vulnerability exists in the user management functionality where an administrator can modify user information. The issue occurs because the user's last name is stored in the database and later displayed without proper sanitization. When the last name is retrieved and presented in the frontend, particularly when an administrator changes a user's password, the unsanitized content is embedded directly into the HTML output. This allows injection of malicious HTML code that will be rendered by the administrator's browser (Sonar Blog).

The vulnerability can be exploited as part of a chain of attacks that could lead to complete system compromise. When combined with other vulnerabilities (CVE-2020-36243 for Command Injection and CVE-2021-32101 for Insecure API permissions), an attacker could potentially execute arbitrary system commands on any OpenEMR server using the Patient Portal component. This could result in unauthorized access to sensitive patient data and compromise of critical infrastructure (Daily Swig, Sonar Blog).

The vulnerability was patched by implementing proper output encoding using the PHP function htmlspecialchars() when displaying user names. Organizations using OpenEMR should upgrade to version 5.0.2.2 or later, which contains the security fixes. The OpenEMR team released the patch in August 2020 to address these vulnerabilities (OpenEMR Community, Sonar Blog).

The OpenEMR Foundation acknowledged the severity of the vulnerabilities and thanked SonarSource for their responsible disclosure. Robert Down, chief operations officer at the OpenEMR Foundation, stated that while no software is completely free of vulnerabilities, OpenEMR's open source nature positions it well to identify and correct potential issues (Daily Swig).