SB2025040142 - Multiple vulnerabilities in OpenEMR

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-31117)

The vulnerability allows a remote user to force the server to make unauthorized requests to internal or external resources and disclose sensitive information.

The vulnerability exists due to server-side request forgery in the Dicom Viewer URL import feature when processing a user-supplied URL. A remote user can submit a crafted URL to force the server to make unauthorized requests to internal or external resources and disclose sensitive information.

The issue is out-of-band and can be observed through DNS or HTTP interactions. User interaction is required to access the import functionality.

2) Cross-site scripting (CVE-ID: CVE-2025-31121)

The vulnerability allows a remote user to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in the Patient Image feature when rendering user-supplied image-related content. A remote privileged user can inject a crafted payload to execute arbitrary script in a user's browser.

User interaction is required for exploitation.

Remediation

Install update from vendor's website.

References

• https://github.com/openemr/openemr/security/advisories/GHSA-2pvv-ph3x-2f9h
• https://github.com/openemr/openemr/security/advisories/GHSA-2w94-qmj6-3qxx