CVE-2021-25917: XSS
First published: Mon Mar 22 2021(Updated: )
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
Credit: vulnerabilitylab@mend.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Open-emr Openemr | >=5.0.2<=6.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-25917?
CVE-2021-25917 is a vulnerability in OpenEMR versions 5.0.2 to 6.0.0 that allows for stored Cross-Site Scripting (XSS) attacks.
How does CVE-2021-25917 work?
CVE-2021-25917 works by not properly validating and rendering user input in the U2F USB Device authentication method page, allowing an attacker to inject arbitrary code.
What is the severity of CVE-2021-25917?
CVE-2021-25917 has a severity level of medium with a CVSS score of 4.8 (out of 10).
What software versions are affected by CVE-2021-25917?
Versions 5.0.2 to 6.0.0 of OpenEMR are affected by CVE-2021-25917.
How can I fix CVE-2021-25917?
To fix CVE-2021-25917, it is recommended to update OpenEMR to a version that includes the necessary security patches.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- agent/source
- vendor/open-emr
- canonical/open-emr openemr
- version/open-emr openemr/5.0.2
- version/open-emr openemr/6.0.0