A Reflected Cross-site scripting (XSS) vulnerability in interface/forms/eyemag/php/eyemagfunctions.php in OpenEMR < 7.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the REQUESTURI.