{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/openemr/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenEMR"],"_cs_severities":["medium"],"_cs_tags":["openemr","xss","cve-2026-33932","health-records"],"_cs_type":"advisory","_cs_vendors":["OpenEMR"],"content_html":"\u003cp\u003eA stored cross-site scripting (XSS) vulnerability has been identified in OpenEMR, a widely used open-source electronic health records and medical practice management application. Specifically, the vulnerability resides within the CCDA (Consolidated Clinical Document Architecture) document preview feature. Prior to version 8.0.0.3, an attacker with the ability to upload or send a CCDA document can inject malicious JavaScript code. When a clinician previews the booby-trapped document, the injected script executes within their browser session. This is due to insufficient sanitization of the \u003ccode\u003elinkHtml\u003c/code\u003e attribute in the XSL stylesheet used for rendering CCDA documents. The vulnerability, identified as CVE-2026-33932, allows \u003ccode\u003ehref=\u0026quot;javascript:...\u0026quot;\u003c/code\u003e and event handler attributes to pass through unfiltered. OpenEMR version 8.0.0.3 addresses this critical security flaw.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an OpenEMR instance running a vulnerable version (prior to 8.0.0.3).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious CCDA document containing a \u003ccode\u003elinkHtml\u003c/code\u003e attribute with a JavaScript payload, such as \u003ccode\u003e\u0026lt;linkHtml href=\u0026quot;javascript:alert('XSS')\u0026quot;\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious CCDA document to the OpenEMR instance, potentially through patient record upload functionality or direct messaging features.\u003c/li\u003e\n\u003cli\u003eA clinician or authorized user accesses the patient record containing the malicious CCDA document.\u003c/li\u003e\n\u003cli\u003eThe clinician previews the CCDA document within the OpenEMR interface.\u003c/li\u003e\n\u003cli\u003eThe OpenEMR application processes the CCDA document using the vulnerable XSL stylesheet.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper sanitization, the JavaScript payload within the \u003ccode\u003elinkHtml\u003c/code\u003e attribute is rendered in the clinician's browser.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code executes in the clinician's browser session, potentially allowing the attacker to steal session cookies, redirect the user to a phishing site, or perform other malicious actions within the context of the OpenEMR application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability can lead to several damaging consequences. An attacker could steal a clinician's session cookies, gaining unauthorized access to sensitive patient data. They could also redirect users to phishing sites to harvest credentials or inject malicious code into the OpenEMR application to compromise its functionality. Given the sensitive nature of electronic health records, a successful attack could result in significant privacy breaches, regulatory violations (HIPAA), and reputational damage to the healthcare provider. While the specific number of affected organizations is unknown, OpenEMR is used by numerous healthcare providers globally, placing a large patient population at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenEMR to version 8.0.0.3 or later to patch the CVE-2026-33932 vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Suspicious OpenEMR CCDA Document Preview\u0026quot; to your SIEM and tune for your environment, monitoring webserver logs for requests containing suspicious patterns in the URI.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures for all user-supplied data within the OpenEMR application, focusing on CCDA document processing.\u003c/li\u003e\n\u003cli\u003eEducate clinicians and other OpenEMR users about the risks of XSS attacks and the importance of reporting any suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-openemr-xss/","summary":"A stored cross-site scripting (XSS) vulnerability in OpenEMR's CCDA document preview (CVE-2026-33932) allows an attacker to execute arbitrary JavaScript in a clinician's browser session by uploading a malicious CCDA document.","title":"OpenEMR Stored XSS Vulnerability in CCDA Document Preview (CVE-2026-33932)","url":"https://feed.craftedsignal.io/briefs/2024-01-openemr-xss/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenEMR"],"_cs_severities":["high"],"_cs_tags":["openemr","sql-injection","cve-2026-33914","web-application"],"_cs_type":"advisory","_cs_vendors":["OpenEMR"],"content_html":"\u003cp\u003eOpenEMR, a widely used open-source electronic health records (EHR) and medical practice management application, is vulnerable to a blind SQL injection flaw (CVE-2026-33914) affecting versions prior to 8.0.0.3. The vulnerability resides within the PostCalendar module, specifically in the \u003ccode\u003ecategoriesUpdate\u003c/code\u003e administrative function. The application fails to adequately sanitize the \u003ccode\u003edels\u003c/code\u003e POST parameter, which is then directly incorporated into a raw SQL \u003ccode\u003eDELETE\u003c/code\u003e statement. This lack of sanitization allows a malicious actor to inject arbitrary SQL code, potentially leading to data breaches, system compromise, and unauthorized access to sensitive patient information. Organizations using vulnerable OpenEMR instances are at significant risk until they upgrade to version 8.0.0.3 or apply the necessary patches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenEMR instance running a version prior to 8.0.0.3.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/modules/PostCalendar/postcalendar.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003edels\u003c/code\u003e parameter containing a crafted SQL injection payload.\u003c/li\u003e\n\u003cli\u003eOpenEMR's \u003ccode\u003epnVarCleanFromInput()\u003c/code\u003e function strips HTML tags from the \u003ccode\u003edels\u003c/code\u003e parameter, but does not perform SQL escaping.\u003c/li\u003e\n\u003cli\u003eThe unsanitized \u003ccode\u003edels\u003c/code\u003e parameter is directly interpolated into a raw SQL \u003ccode\u003eDELETE\u003c/code\u003e statement.\u003c/li\u003e\n\u003cli\u003eDoctrine DBAL's \u003ccode\u003eexecuteStatement()\u003c/code\u003e executes the malicious SQL query against the OpenEMR database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses blind SQL injection techniques (e.g., time-based or boolean-based) to exfiltrate data or modify database records.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to unauthorized access to patient data, modification of records, or complete database compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-33914) can lead to severe consequences for healthcare providers and their patients. Potential impacts include unauthorized access to and exfiltration of sensitive patient data (PHI), modification or deletion of critical medical records, disruption of clinical operations, and potential regulatory fines for HIPAA violations. The number of affected OpenEMR installations is substantial, making this a widespread threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade OpenEMR installations to version 8.0.0.3 to patch CVE-2026-33914.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect OpenEMR PostCalendar SQL Injection Attempt\u0026quot; to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/modules/PostCalendar/postcalendar.php\u003c/code\u003e containing unusual characters or SQL keywords in the \u003ccode\u003edels\u003c/code\u003e parameter to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-openemr-sql-injection/","summary":"A blind SQL injection vulnerability exists in the PostCalendar module of OpenEMR versions prior to 8.0.0.3 due to improper sanitization of the `dels` POST parameter, potentially allowing attackers to execute arbitrary SQL commands.","title":"OpenEMR PostCalendar Blind SQL Injection Vulnerability (CVE-2026-33914)","url":"https://feed.craftedsignal.io/briefs/2024-01-openemr-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - OpenEMR","version":"https://jsonfeed.org/version/1.1"}