CVE-2025-43860: 
OpenEMR vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in OpenEMR, a free and open source electronic health records and medical practice management application. The vulnerability (CVE-2025-43860) was disclosed on May 23, 2025, affecting versions prior to 7.0.3.4. It allows authenticated users with patient creation and editing privileges to inject arbitrary JavaScript code into the system through various address fields in the Patient Demographics section (GitHub Advisory, NVD).

The vulnerability exists in the file openemr/library/templates/addresslistform.php where unsanitized values are assigned to fullAddress[0] and dynamically displayed on the webpage. The issue occurs in two scenarios: during form input and when form data is loaded for editing. The vulnerability affects both text box fields (Address, Address Line 2, Postal Code, City) and dropdown menu options (Address Use, State, Country). The vulnerability has been assigned a CVSS v3.1 score of 7.6 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N (GitHub Advisory, Wiz).

The vulnerability affects all users who view or edit patient records, including administrators, clinicians, and other staff. Attackers could potentially hijack sessions, execute unauthorized actions, or exfiltrate sensitive information such as patient records and credentials. The stored nature of the XSS makes it particularly dangerous as the malicious script executes automatically upon viewing affected patient records (GitHub Advisory, Wiz).

The vulnerability has been patched in OpenEMR version 7.0.3.4. Users are advised to upgrade to this version or later to address the security issue. The fix involves proper sanitization and escaping of user input in the affected address fields (GitHub Advisory, Wiz).