In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code.
Login as administrator to the OpenEMR application. After login, go to the `interface/orders/patient_match_dialog.php?key=1` endpoint. Test the vulnerability by changing the value of `key` parameter in the URL to the below provided payload and press enter.
Upgrade to version 220.127.116.11