CVE-2022-31495
Description
LibreHealth EHR Base 2.0.0 allows gacl/admin/acl_admin.php return_page XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreHealth EHR Base 2.0.0 has a reflected XSS in gacl/admin/acl_admin.php via the return_page parameter.
Vulnerability
LibreHealth EHR Base version 2.0.0 [2] is vulnerable to a reflected cross-site scripting (XSS) in the gacl/admin/acl_admin.php script. The return_page parameter is not properly sanitized, allowing injection of arbitrary HTML and JavaScript [1].
Exploitation
An attacker can craft a URL containing a malicious payload in the return_page parameter and trick a user (likely an authenticated admin) into clicking it. No authentication is required to access the vulnerable endpoint, but the XSS payload executes in the context of the victim's session [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement of the admin interface, or theft of sensitive information displayed on the page.
Mitigation
As of the publication date (2022-06-07), no official patch has been released for this vulnerability. Users should apply input validation on the return_page parameter or restrict access to the gacl/admin/ directory. Upgrading to a future fixed version, if available, is recommended.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- LibreHealth/LibreHealth EHR Basedescription
- Range: =2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization of the `return_page` GET parameter in `acl_admin.php` allows reflected XSS."
Attack vector
An attacker crafts a URL containing a malicious payload in the `return_page` GET parameter, such as `librehealth_host/gacl/admin/acl_admin.php?return_page=\"%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E` [ref_id=1]. When a victim visits this link, the unsanitized parameter value is echoed back into the HTML, causing the injected script to execute in the victim's browser within the context of the LibreHealth EHR application.
Affected code
The vulnerability is in the file `gacl/admin/acl_admin.php` [ref_id=1]. The `return_page` GET parameter is not sanitized before being reflected in the page output, allowing an attacker to inject arbitrary JavaScript.
What the fix does
The advisory does not include a patch or specific remediation guidance [ref_id=1]. To fix this XSS vulnerability, the application should properly encode or sanitize the `return_page` parameter before reflecting it in the HTML output, for example by using `htmlspecialchars()` or an equivalent output-escaping function.
Preconditions
- authThe victim must be logged into LibreHealth EHR or have an active session.
- inputThe attacker must trick the victim into clicking a crafted URL containing the XSS payload in the return_page parameter.
- networkNo special network position is required; the attack can be performed remotely over HTTP/HTTPS.
Reproduction
Visit the following URL in a browser while authenticated to LibreHealth EHR: `librehealth_host/gacl/admin/acl_admin.php?return_page=\"%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E` [ref_id=1]. A JavaScript alert box with the text "XSS" will appear, confirming the cross-site scripting vulnerability.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- nitroteam.kz/index.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.