CVE-2025-29772: 
OpenEMR vulnerability analysis and mitigation

OpenEMR, a free and open source electronic health records and medical practice management application, was found to contain a reflected cross-site scripting (XSS) vulnerability (CVE-2025-29772). The vulnerability exists in CAMOS new.php where the POST parameter hidden_subcategory is output to the page without being properly processed. This vulnerability was fixed in version 7.0.3 (GitHub Advisory).

The vulnerability is classified as High severity with a CVSS v4.0 base score of 7.2. The attack vector is Network-based, requiring High attack complexity, No attack requirements, Low privileges, and Active user interaction. The vulnerability allows for High impact on both Confidentiality and Integrity, with No impact on Availability. The technical root cause involves improper processing of the hidden_subcategory POST parameter before outputting it to the page (GitHub Advisory).

The XSS vulnerability allows attackers to execute malicious scripts in users' browsers, which can lead to unauthorized access to sensitive data, session hijacking, or malware distribution (GitHub Advisory).

The vulnerability has been patched in OpenEMR version 7.0.3. Users are advised to upgrade to this version or later to address the security issue (GitHub Advisory).