CVE-2022-31494
Description
LibreHealth EHR Base 2.0.0 allows gacl/admin/acl_admin.php action XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreHealth EHR Base 2.0.0 suffers from a reflected XSS vulnerability in the ACL admin page via the `action` parameter, allowing arbitrary script execution.
Vulnerability
In LibreHealth EHR Base version [2.0.0] (REL-2_0_0) [2], the endpoint gacl/admin/acl_admin.php does not properly sanitize user-supplied input to the action GET parameter, leading to a stored or reflected Cross-Site Scripting (XSS) vulnerability [1]. An authenticated attacker can inject arbitrary JavaScript code that executes in the context of the victim's session when the page is rendered.
Exploitation
An attacker with authenticated access to the EHR application can craft a malicious URL containing JavaScript payload in the action parameter. The attack requires no special privileges beyond a standard user account. The crafted URL can be delivered to other authenticated users via social engineering or by embedding in a page that triggers the XSS. The proof-of-concept demonstrates that the injected script executes without restrictions [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any authenticated user visiting the vulnerable page. This can lead to session hijacking, defacement, theft of sensitive patient data, or actions performed on behalf of the victim. The CIA impact is primarily on confidentiality and integrity of EHR data.
Mitigation
As of the publication date, no official patch has been released for LibreHealth EHR Base 2.0.0. The project maintainers have not issued a fixed version. Users should monitor the official repository [2] for updates. In the absence of a patch, restrict access to administrative interfaces and apply input validation filtering on the action parameter as a workaround.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- LibreHealth/LibreHealth EHR Basedescription
- Range: = 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization of the `action`, `return_page`, and `acl_id` GET parameters in `acl_admin.php` allows reflected cross-site scripting."
Attack vector
An attacker crafts a malicious URL containing a payload in one of the GET parameters (`action`, `return_page`, or `acl_id`) of the `acl_admin.php` script [ref_id=1]. The proof-of-concept shows injecting a script tag via URL-encoded characters such as `\%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E` [ref_id=1]. When a victim with access to the LibreHealth EHR interface visits the crafted link, the unsanitized parameter value is rendered in the page, causing the injected JavaScript to execute in the victim's browser context [ref_id=1]. No authentication or special privileges are required beyond having access to the application.
Affected code
The vulnerable endpoint is `/gacl/admin/acl_admin.php` [ref_id=1]. The researcher write-up identifies that the `action`, `return_page`, and `acl_id` GET parameters are not sanitized before being reflected in the page output [ref_id=1].
What the fix does
The advisory does not provide a patch or specific remediation code [ref_id=1]. The recommended fix is to properly sanitize or encode the `action`, `return_page`, and `acl_id` GET parameters before reflecting them in the HTML output of `acl_admin.php`, preventing the injection of arbitrary script tags [ref_id=1].
Preconditions
- networkAttacker must have network access to a LibreHealth EHR instance
- authVictim user must be logged into the LibreHealth EHR application and visit the attacker's crafted URL
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- nitroteam.kz/index.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.