CVE-2023-22972: 
OpenEMR vulnerability analysis and mitigation

A Reflected Cross-site scripting (XSS) vulnerability was discovered in OpenEMR versions prior to 7.0.0, specifically affecting the interface/forms/eye_mag/php/eye_mag_functions.php file. The vulnerability was assigned identifier CVE-2023-22972 and was disclosed on February 22, 2023. This security flaw affects the OpenEMR electronic health records management system (NVD, CVE).

The vulnerability allows remote authenticated users to inject arbitrary web script or HTML via the REQUEST_URI parameter. The severity of this vulnerability has been assessed with a CVSS v3.1 Base Score of 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability has been classified under CWE-79, which refers to Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability could allow authenticated attackers to inject malicious web scripts or HTML code into the application. This could potentially lead to the execution of unauthorized scripts in users' browsers, potentially compromising sensitive information or performing actions on behalf of other users (NVD).

The vulnerability has been fixed in OpenEMR version 7.0.0. Users are advised to upgrade to this version or later to protect against this security flaw. The fix was included in the 7.0.0 Patch released on November 30, 2022 (OpenEMR Patches).