CVE-2017-6394 Open Emr CVE debrief

Who should care

Healthcare and clinic IT teams running OpenEMR, especially administrators and security teams responsible for web application hardening, patching, and access control. It is also relevant to anyone who can reach the gacl admin interface or who has users that may be induced to open attacker-supplied links while authenticated to the vulnerable site.

Technical summary

The vulnerability is a cross-site scripting flaw in openemr-master/gacl/admin/object_search.php, with affected input handling noted for the section_value and src_form parameters. NVD maps the issue to CWE-79 and lists the CVSS vector as AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, no privileges required, and a user-interaction dependency. The described impact is execution of arbitrary HTML and script in the browser under the origin of the vulnerable OpenEMR site.

Defensive priority

Medium. The CVSS score is moderate, but the combination of no privileges required, browser-side impact, and a healthcare application context makes timely remediation important wherever the affected versions are still in use or exposed to untrusted users.

Recommended defensive actions

• Upgrade OpenEMR to a version that remediates the XSS issue; do not leave 5.0.0 or 5.0.1-dev exposed.
• Treat object_search.php and related gacl admin functions as high-risk input points and ensure server-side output encoding and parameter validation are enforced.
• Restrict access to administrative OpenEMR interfaces with authentication, network segmentation, and least-privilege controls.
• Review whether any user-controlled links or parameters could reach the affected endpoint and warn administrators not to open untrusted URLs while authenticated.
• Audit application logs and web access logs for suspicious requests targeting object_search.php, section_value, or src_form.
• If patching is delayed, reduce exposure by limiting who can access the vulnerable interface and by disabling external access where possible.

Evidence notes

The core vulnerability description, affected versions, and endpoint/parameter details come from the supplied CVE record and NVD source item. NVD identifies CWE-79 and provides the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N with a 6.1 Medium score. The supplied references include SecurityFocus BID 96539 and BID 96576 as third-party advisories, plus the OpenEMR GitHub issue 498 as an additional reference. Timing context should follow the CVE publishedAt date of 2017-03-02, not the 2026 NVD modified timestamp.

Official resources