CVE-2021-32103: XSS
First published: Fri May 07 2021(Updated: )
A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Open-emr Openemr | <=5.0.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability
- https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431
- https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592
- https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal
Frequently Asked Questions
What is CVE-2021-32103?
CVE-2021-32103 is a Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1.
How does CVE-2021-32103 affect OpenEMR?
CVE-2021-32103 allows an admin authenticated user to inject arbitrary web script or HTML via the lname parameter in OpenEMR before version 5.0.2.1.
What is the severity of CVE-2021-32103?
CVE-2021-32103 has a severity rating of 4.8, which is considered medium.
How can I fix CVE-2021-32103?
To fix CVE-2021-32103, you should update OpenEMR to version 5.0.2.1 or later.
What is CWE-79?
CWE-79 is a weakness category that refers to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/type
- agent/description
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/open-emr
- canonical/open-emr openemr
- version/open-emr openemr/5.0.2.1