CVE-2021-40374

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Apperta Foundation OpenEyes 3.5.1 [1][2]. The Address1 parameter during patient detail updates fails to sanitize user input, allowing arbitrary web script or HTML injection. The injected payload is stored and executed when any user loads the affected patient profile [2].

Exploitation

An attacker with the ability to update a patient's details can inject JavaScript into the Address1 field. The proof-of-concept payload `` demonstrates the vulnerability. After saving the patient record and reloading the profile, the injected script executes in the browser of any user who views that profile [2].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to account hijacking, credential theft, sensitive data exfiltration, or other malicious actions within the OpenEyes application [2].

Mitigation

As of the publication date (2022-04-06), no patched version has been released by the vendor [1]. The OpenEyes project recommends installations in clinical environments be handled through authorized professional services for security and integration support [1]. Users should ensure all patient-facing modules restrict input validation and apply output encoding to prevent script injection.