The create patient flow is allows stored XSS when using the following
name (script is executed when loading mdrtbEditPatient.form, and
potentially other pages that display the patient name).
Other places where patient/user name injects script:
module/reporting/reports/reportHistory.form (xss in automatically populated into the "Requested By" dropdown)
admin/users/user.form (Which Person? textbox autocomplete fires it)
admin/encounters/encounter.form (same dropdown as above. Just fix this control)
patientDashboard.form (multiple places where the name is displayed. Main page, demographics tab.
Every page when logged in as the xss username ("Currently logged in as <script>..") (meh..)
Privilege escalation scenario:
Setup: Admin creates "Person" record and links it to a User account.
1. User can change his/her name to include an XSS string (steal session cookie)
2. User gets admin to visit their "Person" profile, i.e.
admin/person/person.form?personId=93483. Script could steal admin
cookie and send it to a malicious url.
This issue was originally reported by: Kevin Jacobs