CVE-2024-0875: 
OpenEMR vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in OpenEMR version 7.0.1, identified as CVE-2024-0875. The vulnerability exists in the Portal Mail functionality of the application, where an attacker can inject malicious payloads into the message body field (Huntr).

The vulnerability occurs in the Portal Mail messaging system where an attacker can bypass front-end character escaping by intercepting and modifying the request to inject malicious payloads into the 'inputBody' parameter. When the recipient views the message, the malicious payload is executed in their browser context. The vulnerability has been assigned a CVSS score of 8.1 (High), with network-based attack vector, low attack complexity, and low privileges required (Huntr).

The vulnerability can lead to compromise of user accounts when they view malicious messages containing XSS payloads. The impact assessment indicates high confidentiality and integrity risks, though availability is not affected. The successful exploitation could allow attackers to perform actions in the context of the victim's browser session (Huntr).

The vulnerability has been fixed in OpenEMR through the implementation of DOMPurify sanitization. The fix includes proper sanitization of HTML content using DOMPurify with specific HTML profiles enabled (GitHub Commit).