CVE-2022-29939

Vulnerability

In LibreHealth EHR 2.0.0, the file interface/billing/sl_eob_process.php directly echoes the $_REQUEST['debug'] and $_REQUEST['InsId'] parameters into hidden input fields without sanitization, as shown in the reference [1]: <input type="hidden" name="debug" value="<?php echo $_REQUEST['debug'];?>" />. This lack of output encoding (htmlspecialchars()) permits an attacker to inject arbitrary HTML and JavaScript. The vulnerability affects version 2.0.0 and potentially earlier releases (the codebase remains unchanged through the 2.0.0 tag).

Exploitation

An attacker must be authenticated to the LibreHealth EHR instance [1]. The proof-of-concept URLs in reference [1] demonstrate that injecting a double-quote to break out of the value attribute followed by a ` tag is sufficient to execute attacker-controlled JavaScript. For example, the parameter debug=1%22%3E%3Cscript%3Ealert('true xss');%3C/script%3E%3C!--` results in the injected script being reflected in the page. No user interaction beyond viewing the page is required.

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary JavaScript in the context of the victim's browser session. This could lead to session hijacking, data exfiltration (such as patient health information), or unauthorized actions performed on behalf of the victim user. Because the injected payload is reflected, it can be used in a targeted attack by luring an authenticated administrator to a crafted URL.

Mitigation

As of the publication date (2022-05-05), no official fix has been released; the latest tagged version (2.0.0 RC1) remains vulnerable. The advisory in reference [1] recommends using htmlspecialchars() on the $_REQUEST['debug'] and $_REQUEST['InsId'] values before echoing them. Administrators should apply the manual patch to interface/billing/sl_eob_process.php or upgrade to a future patched version once available. The issue has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.