<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Health-Records - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/health-records/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/health-records/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenEMR Stored XSS Vulnerability in CCDA Document Preview (CVE-2026-33932)</title><link>https://feed.craftedsignal.io/briefs/2024-01-openemr-xss/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-openemr-xss/</guid><description>A stored cross-site scripting (XSS) vulnerability in OpenEMR's CCDA document preview (CVE-2026-33932) allows an attacker to execute arbitrary JavaScript in a clinician's browser session by uploading a malicious CCDA document.</description><content:encoded><![CDATA[<p>A stored cross-site scripting (XSS) vulnerability has been identified in OpenEMR, a widely used open-source electronic health records and medical practice management application. Specifically, the vulnerability resides within the CCDA (Consolidated Clinical Document Architecture) document preview feature. Prior to version 8.0.0.3, an attacker with the ability to upload or send a CCDA document can inject malicious JavaScript code. When a clinician previews the booby-trapped document, the injected script executes within their browser session. This is due to insufficient sanitization of the <code>linkHtml</code> attribute in the XSL stylesheet used for rendering CCDA documents. The vulnerability, identified as CVE-2026-33932, allows <code>href=&quot;javascript:...&quot;</code> and event handler attributes to pass through unfiltered. OpenEMR version 8.0.0.3 addresses this critical security flaw.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an OpenEMR instance running a vulnerable version (prior to 8.0.0.3).</li>
<li>The attacker crafts a malicious CCDA document containing a <code>linkHtml</code> attribute with a JavaScript payload, such as <code>&lt;linkHtml href=&quot;javascript:alert('XSS')&quot;&gt;</code>.</li>
<li>The attacker uploads the malicious CCDA document to the OpenEMR instance, potentially through patient record upload functionality or direct messaging features.</li>
<li>A clinician or authorized user accesses the patient record containing the malicious CCDA document.</li>
<li>The clinician previews the CCDA document within the OpenEMR interface.</li>
<li>The OpenEMR application processes the CCDA document using the vulnerable XSL stylesheet.</li>
<li>Due to the lack of proper sanitization, the JavaScript payload within the <code>linkHtml</code> attribute is rendered in the clinician's browser.</li>
<li>The JavaScript code executes in the clinician's browser session, potentially allowing the attacker to steal session cookies, redirect the user to a phishing site, or perform other malicious actions within the context of the OpenEMR application.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this XSS vulnerability can lead to several damaging consequences. An attacker could steal a clinician's session cookies, gaining unauthorized access to sensitive patient data. They could also redirect users to phishing sites to harvest credentials or inject malicious code into the OpenEMR application to compromise its functionality. Given the sensitive nature of electronic health records, a successful attack could result in significant privacy breaches, regulatory violations (HIPAA), and reputational damage to the healthcare provider. While the specific number of affected organizations is unknown, OpenEMR is used by numerous healthcare providers globally, placing a large patient population at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade OpenEMR to version 8.0.0.3 or later to patch the CVE-2026-33932 vulnerability.</li>
<li>Deploy the Sigma rule &quot;Detect Suspicious OpenEMR CCDA Document Preview&quot; to your SIEM and tune for your environment, monitoring webserver logs for requests containing suspicious patterns in the URI.</li>
<li>Implement input validation and sanitization measures for all user-supplied data within the OpenEMR application, focusing on CCDA document processing.</li>
<li>Educate clinicians and other OpenEMR users about the risks of XSS attacks and the importance of reporting any suspicious activity.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>openemr</category><category>xss</category><category>cve-2026-33932</category><category>health-records</category></item></channel></rss>