CVE-2022-31497
Description
LibreHealth EHR Base 2.0.0 allows interface/main/finder/finder_navigation.php patient XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreHealth EHR 2.0.0 contains a stored XSS vulnerability in the patient parameter of finder_navigation.php.
Vulnerability
LibreHealth EHR Base version 2.0.0 contains a cross-site scripting (XSS) vulnerability in interface/main/finder/finder_navigation.php. The patient GET parameter is not sanitized, allowing an attacker to inject arbitrary HTML and JavaScript. The vulnerable code path is reachable when the application is configured to use the patient finder functionality [1].
Exploitation
An attacker can trigger the vulnerability by sending a crafted HTTP GET request to librehealth_host/interface/main/finder/finder_navigation.php?patient=1%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script%3E%3C!-- (or similar payload) [1]. No authentication is required; the attacker only needs network access to the vulnerable instance. The script executes in the context of the victim user's browser when they navigate to the manipulated URL.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the user's session, potentially leading to session theft, credential exfiltration, or further malicious actions within the application [1]. The impact is limited to XSS-related attacks, but combined with other vulnerabilities could escalate privileges.
Mitigation
The official fix has not been disclosed in the available references. The vendor has not released a patched version for this vulnerability [2]. As of the publication date (2022-06-08), no workaround has been provided. Users should restrict access to the affected endpoint and apply general XSS prevention measures, such as input validation and output encoding.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- LibreHealth/EHR Basedescription
- Range: =2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `patient` GET parameter is reflected in the HTML response without sanitization or encoding."
Attack vector
An attacker crafts a URL containing a malicious payload in the `patient` GET parameter, such as `%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script%3E%3C!--` (which decodes to `">
Affected code
The vulnerable endpoint is `interface/main/finder/finder_navigation.php` in LibreHealth EHR Base 2.0.0. The `patient` GET parameter is reflected without sanitization, allowing an attacker to inject arbitrary HTML and JavaScript.
What the fix does
No patch is included in the bundle. The advisory does not specify a fix, but the remediation for a reflected XSS vulnerability of this type is to properly encode or sanitize the `patient` GET parameter before rendering it in the HTML response, or to use a templating engine that auto-escapes output.
Preconditions
- inputThe attacker must be able to trick a logged-in user into clicking a crafted URL.
- authThe victim must be authenticated to LibreHealth EHR.
Reproduction
Visit the following URL while authenticated to LibreHealth EHR: `librehealth_host/interface/main/finder/finder_navigation.php?patient=1%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script%3E%3C!--` [ref_id=1]. A JavaScript alert box with the text "xss" will appear, confirming the XSS.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- nitroteam.kz/index.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.