# Reflected XSS in Change Credential Function in openemr/openemr ## Author: TuanNQ (https://github.com/tuannq2299) ## Description The payload injected in the Account name is not escaped and can be triggered. ## Proof of Concept Step 1: Go to the function Reset Creds. ![image](https://hackmd.io/_uploads/rkkgI9qda.png) Step 2: Intercept the request and inject the payload `"><img src=x onerror=alert(1)>` to parameter uname, see that the payload is reflected to the response ![image](https://hackmd.io/_uploads/BJeG8qcdp.png) Step 3: The payload is then triggered ![image](https://hackmd.io/_uploads/rJymIccup.png) ## Impact If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. The attacker can carry out any of the actions that are applicable to the impact of reflected XSS vulnerabilities. ## Response from vendor ![image](https://hackmd.io/_uploads/BkgDL5q_T.png)