CVE-2022-29940
Description
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreHealth EHR 2.0.0 suffers from reflected XSS via unsanitized `formseq` and `formid` parameters in `find_order_popup.php`, allowing authenticated attackers to inject arbitrary JavaScript.
Vulnerability
The vulnerability resides in the file interface/orders/find_order_popup.php of LibreHealth EHR version 2.0.0. The GET parameters formseq and formid are not sanitized before being reflected in the page output, leading to reflected cross-site scripting (XSS). The code path is reachable only by authenticated users [1].
Exploitation
An attacker must be authenticated to the LibreHealth EHR application. They can craft a malicious URL containing JavaScript payloads in the formseq or formid parameters. When a victim with an active session clicks the link, the script executes in their browser context. No additional user interaction is required beyond clicking the crafted link [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the application's security context. This can lead to session hijacking, theft of sensitive data, or defacement of the application interface. The attacker operates with the victim's privileges [1].
Mitigation
As of the publication date (2022-05-05), no official patch has been released for this vulnerability. The vendor should apply proper input sanitization (e.g., htmlspecialchars()) to the formseq and formid parameters. Users should restrict network access to the application and monitor for suspicious activity. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- LibreHealth/LibreHealth EHRdescription
- Range: = 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Lack of sanitization of the GET parameters formseq and formid in find_order_popup.php allows direct injection of attacker-controlled content into a JavaScript context."
Attack vector
An attacker who is already authenticated (all these vulnerabilities require authorization [ref_id=1]) can craft a URL containing malicious JavaScript payloads in the `formid` or `formseq` GET parameters. When a victim visits the crafted URL, the unsanitized parameters are echoed directly into a JavaScript function body inside the HTML page, allowing arbitrary script execution in the victim's browser session. The researcher provided proof-of-concept URLs such as `http://librehealth_host/interface/orders/find_order_popup.php?formid=123%27;}alert(123);function%20nt(typeid){var%20t=%27` [ref_id=1].
Affected code
The vulnerable code is in `interface/orders/find_order_popup.php` at line 91, where the `selcode()` JavaScript function is constructed. The GET parameters `formid` and `formseq` are directly concatenated into the JavaScript string via `echo $_GET['formid']` and `echo $_GET['formseq']` without any sanitization [ref_id=1].
What the fix does
No official patch has been released for this vulnerability because the project is migrating to the Laravel framework, which is expected to provide built-in output filtering [ref_id=1]. The researcher recommends applying `htmlspecialchars()` before every `echo` of user-supplied parameters as a temporary workaround to escape HTML special characters and prevent script injection [ref_id=1].
Preconditions
- authAttacker must be authenticated to the LibreHealth EHR instance
- inputAttacker must be able to craft a URL with malicious formid or formseq GET parameter values
Reproduction
Visit the following URLs as an authenticated user to trigger the XSS:
- `http://librehealth_host/interface/orders/find_order_popup.php?formid=123%27;}alert(123);function%20nt(typeid){var%20t=%27` - `http://librehealth_host/interface/orders/find_order_popup.php?formseq=123%27;}alert(123);function%20nt(typeid){var%20t=%27` - `http://librehealth_host/interface/orders/find_order_popup.php?formseq=1%27%3E%3Cscript%3Ealert(123);%3C/script%3E` - `http://librehealth_host/interface/orders/find_order_popup.php?formid=1%27%3E%3Cscript%3Ealert(123);%3C/script%3E`
These PoC URLs were provided by the researcher [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- nitroteam.kz/index.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.