CVE-2022-31493
Description
LibreHealth EHR Base 2.0.0 allows gacl/admin/acl_admin.php acl_id XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreHealth EHR Base 2.0.0 is vulnerable to reflected XSS via the acl_id parameter in gacl/admin/acl_admin.php.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in LibreHealth EHR Base version 2.0.0 [2]. The flaw resides in /gacl/admin/acl_admin.php and is triggered by the acl_id GET parameter [1]. The application fails to sanitize or encode the user-supplied acl_id value before rendering it in the response, allowing an attacker to inject arbitrary JavaScript [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL that includes a acl_id parameter containing HTML and JavaScript payloads [1]. The victim must be logged into LibreHealth EHR and click on the attacker-supplied link; no additional authentication or special network position is required beyond standard web access [1].
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser session [1]. This can lead to session hijacking, phishing, or defacement of the application interface. The attack is limited to the scope of the XSS and does not grant server-side code execution [1].
Mitigation
As of the publication date (2022-06-06), no official patch or fixed version has been released. The vendor has not issued an advisory or acknowledged a fix in subsequent releases [2]. Organizations should restrict access to the vulnerable endpoint, sanitize user input for the acl_id parameter, and consider using a Web Application Firewall (WAF) to block malicious payloads until a patch becomes available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- LibreHealth/LibreHealth EHR Basedescription
- Range: = 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization of the `acl_id` GET parameter in `acl_admin.php` allows reflected cross-site scripting."
Attack vector
An attacker crafts a URL containing a malicious payload in the `acl_id` GET parameter, such as `\"\x3e\x3cscript\x3ealert('XSS')\x3c/script\x3e`. When a victim visits this URL, the unsanitized parameter value is reflected in the response, causing the attacker's script to execute in the victim's browser context. No authentication is required to trigger the reflected XSS, as the parameter is processed directly by `acl_admin.php` [ref_id=1].
Affected code
The vulnerable endpoint is `/gacl/admin/acl_admin.php` in LibreHealth EHR Base 2.0.0. The `acl_id` GET parameter is not sanitized before being reflected in the page output, allowing an attacker to inject arbitrary HTML and JavaScript [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation guidance. To fix this vulnerability, the application should properly encode or sanitize the `acl_id` GET parameter before reflecting it in the HTML output, for example by using `htmlspecialchars()` or an equivalent output-escaping function. Input validation should also reject unexpected characters such as angle brackets and quotes [ref_id=1].
Preconditions
- inputThe victim must visit a crafted URL containing the malicious `acl_id` parameter.
- authNo authentication or special privileges are required to trigger the vulnerability.
Reproduction
Visit the following URL in a browser: `librehealth_host/gacl/admin/acl_admin.php?acl_id=\"\x3e\x3cscript\x3ealert('XSS')\x3c/script\x3e`. A JavaScript alert with the text "XSS" will appear, confirming the cross-site scripting vulnerability [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- nitroteam.kz/index.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.