OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting…

OpenEMR, a free and open source electronic health records application, contains a stored cross-site scripting vulnerability in the CCDA document preview feature prior to version 8.0.0.3. Attackers who can upload or send CCDA documents can execute arbitrary JavaScript in clinician browser sessions when documents are previewed. The vulnerability exists because the XSL stylesheet fails to sanitize linkHtml attributes, allowing href="javascript:..." and event handler attributes to pass through unchanged. This represents a significant security risk in healthcare environments where clinicians regularly preview patient documents. The issue has been patched in version 8.0.0.3.