CVE-2021-40374

MEDIUM

Apperta Foundation OpenEyes 3.5.1 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-40374. PoCs published by DCKento.

AI-analyzed exploit summary This repository contains a writeup detailing a stored XSS vulnerability in OpenEyes 3.5.1, where the 'Address1' parameter allows JavaScript injection. The PoC demonstrates how an attacker can embed malicious scripts to execute arbitrary JavaScript in the context of a user's browser.

Description

A stored cross-site scripting (XSS) vulnerability was identified in Apperta Foundation OpenEyes 3.5.1. Updating a patient's details allows remote attackers to inject arbitrary web script or HTML via the Address1 parameter. This JavaScript then executes when the patient profile is loaded, which could be used in a XSS attack.

Exploits (1)

nomisec WRITEUP 2 stars
by DCKento · poc
https://github.com/DCKento/CVE-2021-40374

This repository contains a writeup detailing a stored XSS vulnerability in OpenEyes 3.5.1, where the 'Address1' parameter allows JavaScript injection. The PoC demonstrates how an attacker can embed malicious scripts to execute arbitrary JavaScript in the context of a user's browser.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: OpenEyes 3.5.1
Auth required
Prerequisites: Access to a patient profile with edit permissions
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Product, Vendor Advisory x_refsource_misc
https://openeyes.apperta.org/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/DCKento/CVE-2021-40374

Scores

CVSS v3 5.4
EPSS 0.0122
EPSS Percentile 64.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
apperta/openeye 3.5.1
Published Apr 06, 2022
Tracked Since Feb 18, 2026