📄 Description (English)
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href="javascript:..."` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue.
🤖 AI Executive Summary
OpenEMR versions prior to 8.0.0.3 contain a stored cross-site scripting (XSS) vulnerability in CCDA document preview functionality. An attacker with document upload capabilities can inject malicious JavaScript that executes in clinicians' browsers, potentially compromising patient data and clinical workflows. This vulnerability is particularly critical in healthcare environments where CCDA documents are routinely exchanged between providers.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 30, 2026 01:16
🇸🇦 Saudi Arabia Impact Assessment
Saudi healthcare organizations using OpenEMR, including private hospitals, clinics, and health information exchange networks, face significant risk. The vulnerability directly impacts the Ministry of Health (MOH), ARAMCO Healthcare Services, and private healthcare providers relying on CCDA document exchange for patient referrals and continuity of care. Attackers could steal Protected Health Information (PHI), manipulate clinical records, or redirect clinicians to phishing sites. The vulnerability is particularly dangerous in Saudi's growing telemedicine and health information exchange initiatives.
🏢 Affected Saudi Sectors
Healthcare
Government (Ministry of Health)
Private Hospitals and Clinics
Health Information Exchange Networks
Telemedicine Providers
Medical Insurance Companies
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application (CCDA preview functionality)
T1598 - Phishing (JavaScript redirect to phishing sites)
T1056 - Input Capture (credential harvesting via injected forms)
T1005 - Data from Local System (PHI extraction from browser memory)
T1071 - Application Layer Protocol (JavaScript execution in HTTP context)
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Upgrade OpenEMR to version 8.0.0.3 or later immediately
2. Audit CCDA documents uploaded in the past 90 days for suspicious content
3. Review access logs for unauthorized document uploads
4. Notify clinicians to avoid previewing CCDA documents from untrusted sources
PATCHING GUIDANCE:
1. Test patch in non-production environment first
2. Schedule maintenance window for upgrade (typically 1-2 hours)
3. Backup database before patching
4. Verify XSL stylesheet sanitization after upgrade
COMPENSATING CONTROLS (if immediate patching not possible):
1. Restrict CCDA document upload permissions to trusted administrators only
2. Implement Web Application Firewall (WAF) rules to block javascript: protocol in href attributes
3. Disable CCDA preview functionality until patch is applied
4. Use Content Security Policy (CSP) headers to prevent inline script execution
DETECTION RULES:
1. Monitor for CCDA uploads containing 'javascript:' in href attributes
2. Alert on linkHtml elements with event handlers (onclick, onload, onerror)
3. Log all CCDA document preview activities with user attribution
4. Implement IDS signatures for XSS payloads in medical document uploads
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. ترقية OpenEMR إلى الإصدار 8.0.0.3 أو أحدث فوراً
2. تدقيق وثائق CCDA المحملة في آخر 90 يوماً بحثاً عن محتوى مريب
3. مراجعة سجلات الوصول للتحميلات غير المصرح بها
4. إخطار الأطباء السريريين بتجنب معاينة وثائق CCDA من مصادر غير موثوقة
إرشادات التصحيح:
1. اختبر التصحيح في بيئة غير الإنتاج أولاً
2. جدول نافذة صيانة للترقية (عادة 1-2 ساعة)
3. نسخ احتياطي من قاعدة البيانات قبل التصحيح
4. تحقق من تعقيم ورقة أنماط XSL بعد الترقية
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تقييد صلاحيات تحميل وثائق CCDA للمسؤولين الموثوقين فقط
2. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر بروتوكول javascript: في سمات href
3. تعطيل وظيفة معاينة CCDA حتى يتم تطبيق التصحيح
4. استخدام رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ البرامج النصية المضمنة
قواعد الكشف:
1. مراقبة تحميلات CCDA التي تحتوي على 'javascript:' في سمات href
2. تنبيه على عناصر linkHtml مع معالجات الأحداث (onclick, onload, onerror)
3. تسجيل جميع أنشطة معاينة وثائق CCDA مع نسب المستخدم
4. تنفيذ توقيعات IDS لحمولات XSS في تحميلات الوثائق الطبية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for third-party services (OpenEMR security controls)
ECC 2024 A.14.2.5 - Restrictions on access to information assets (CCDA document access controls)
ECC 2024 A.6.1.1 - Information security roles and responsibilities (patch management accountability)
🔵 SAMA CSF
SAMA CSF ID.BE-3 - Organizational resilience (healthcare service continuity)
SAMA CSF PR.AC-1 - Access control and user identity management
SAMA CSF PR.DS-1 - Data security and protection (PHI protection)
SAMA CSF DE.CM-1 - Detection and monitoring of anomalous activity
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control (document upload restrictions)
ISO 27001:2022 A.8.22 - Information security for supplier relationships
ISO 27001:2022 A.8.32 - Change management (patch deployment)
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates (if processing payment data)
PCI DSS 6.5.7 - Cross-site scripting prevention
🔗 References & Sources 3
🔗
https://github.com/openemr/openemr/commit/95e6078889b5399b12b59117f998560cd94bd47d
security-advisories@github.com
Patch
🔗
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
security-advisories@github.com
Product
🔗
https://github.com/openemr/openemr/security/advisories/GHSA-g77x-9p3x-2j8f
security-advisories@github.com
Vendor Advisory
📦 Affected Products / CPE 1 entries
open-emr:openemr