CVE-2025-32794

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-32794

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-32794.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-32794

Related

GHSA-3c27-2m7h-f7rx

Published

2025-05-23T16:15:25Z

Modified

2025-07-03T06:48:13.798913Z

Summary

[none]

Details

OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation privileges to inject arbitrary JavaScript code into the system by entering malicious payloads in the First and Last Name fields during patient registration. This code is later executed when viewing the patient's encounter under Orders → Procedure Orders. Version 7.0.3.4 contains a patch for the issue.

References

https://github.com/openemr/openemr/security/advisories/GHSA-3c27-2m7h-f7rx

Affected packages

Git / github.com/openemr/openemr

Affected ranges

Type: GIT
Repo: https://github.com/openemr/openemr
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fb33cbdacd6474911caaedd271d443ce41370d28

Affected versions

Other

v2_7_2

v2_7_2-rc1

v2_7_2-rc2

v2_7_3-rc1

v2_8_0

v2_8_1

v2_8_2

v2_8_3

v2_9_0

v3_0_0

v3_0_1

v7_0_3

v7_0_3_1

v7_0_3_2

v7_0_3_3