CVE-2022-31498

Vulnerability

A cross-site scripting (XSS) vulnerability exists in LibreHealth EHR Base version 2.0.0 in the file interface/orders/patient_match_dialog.php. The application fails to properly sanitize user-supplied input to the key parameter (as noted in the original advisory [1]). An attacker can inject arbitrary JavaScript or HTML through this parameter, which is then reflected back to the user in the dialog response. The vulnerability affects the 2.0.0 release tag [2].

Exploitation

An attacker can exploit this vulnerability by crafting a URL containing malicious code in the key parameter, such as `. When a victim—typically an authenticated EHR user—visits the crafted URL via interface/orders/patient_match_dialog.php?key=...` the injected script executes in the context of their session. No prior authentication is required to send the malicious link, but the target must be logged into the application for the script to run with their privileges [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, data exfiltration, or manipulation of the application's functionality within the context of the user's role. Since the script runs with the victim's privileges, an attacker could potentially access or modify patient records, perform unauthorized actions, or steal sensitive information displayed on the page [1].

Mitigation

As of the publication date (2022-06-06), no official patch has been released for this vulnerability. The affected version 2.0.0 remains in widespread use. Mitigations should include input validation and output encoding for the key parameter in patient_match_dialog.php. Until a fix is deployed, organizations should restrict access to the vulnerable endpoint via web application firewall rules or network segmentation, and avoid clicking untrusted links while logged into LibreHealth EHR [1]. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of now.