Main Vulnerability Database Vulnerabilities #VU127243

#VU127243 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in OpenEMR - CVE-2025-30161

Published: March 30, 2025 / Updated: April 23, 2026

Vulnerability identifier: #VU127243

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-30161

CWE-ID: CWE-80

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenEMR

Software vendor:
OpenEMR

Description

The vulnerability allows a remote user to execute arbitrary script in a victim's browser and disclose sensitive information.

The vulnerability exists due to improper neutralization of script-related html tags in the bronchitis form component when rendering stored user-supplied form fields. A remote user can save a specially crafted bronchitis form value to execute arbitrary script in a victim's browser and disclose sensitive information.

User interaction is required when another user opens the form for editing and clicks on the affected field.

Remediation

Install security update from vendor's website.

External links

https://github.com/openemr/openemr/security/advisories/GHSA-59rv-645x-rg6p

#VU127243 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in OpenEMR - CVE-2025-30161

Description

Remediation

External links

Please verify you're human